huge icon indicating copy to clipboard operation
huge copied to clipboard

Published 20 hours ago verified publisher icon panique

Avatar .htaccess is preventing avatar from being shown

Open videsignz opened this issue 9 years ago • 9 comments

I can not quite put my finger on it, but a line in the .htaccess file in the public/avatars folder is causing the jpeg to not be shown.

This line to be exact php_flag engine off

Any ideas as to why the image will not show?

videsignz avatar Feb 15 '16 16:02 videsignz

sure about that ? the jpegs in all applications I've running on huge are shown perfectly! the line was committed as a security improvement that prevents users from uploading PHP code with a file renamed to .jpg :)

panique avatar Feb 15 '16 16:02 panique

Completely sure on this one :( If I comment it out, the image shows.

videsignz avatar Feb 15 '16 16:02 videsignz

I should note, I have not added or modified any .htaccess files and the MVC is freshly loaded on a new site in the base folder.

videsignz avatar Feb 15 '16 16:02 videsignz

Hmmmm...after researching all morning until now, I am not sure how secure even the current setup is. I wish I knew more about the real risks and how to test the security of it within this framework.

What puzzles me is the addHandler. From what I gathered we would want removeHandler instead. Am I missing something here?

For now though, I need to comment php_flag engine off in order to show avatars.

I found a discussion here about the same issue, maybe others here can have a look.

http://twiki.org/cgi-bin/view/Support/PhpFlagEngineOffBreaksRendering

videsignz avatar Feb 15 '16 18:02 videsignz

I have the same trouble, just to say it not unique trouble. For myself I don t use autoload , I call each file alone.

meduim avatar Mar 23 '16 12:03 meduim

I run into a similar problem with php_flag engine off which was stopping avatars (and images from other such folders) from showing images. Commenting out the offending line and adding the below worked for me

<Files ~ "\.(htm|html|shtml|php|js|php3|php4|phtml|pl|py|jsp|sh|cgi)$">
    Order Deny,Allow
    Deny from all
</Files>

Tafaqari avatar Oct 24 '16 07:10 Tafaqari

If I am right, php_flag engine off works if PHP is configured to run as Apache module. If not, It'll throw an Error 500. It would be a good idea to wrap it with <IfModule mod_php5.c> ... </IfModule>.

sr-verde avatar Jan 16 '17 12:01 sr-verde

I had this issue recently, I changed : php_flag engine off to:


<Files ~ "\.(htm|html|shtml|php|js|php3|php4|phtml|pl|py|jsp|sh|cgi)$">
    Order Deny,Allow
    Deny from all
</Files>
<IfModule mod_php5.c>
    php_flag engine off
</IfModule>

freestyledork avatar May 03 '17 22:05 freestyledork

Where is your application running? If it is running on public webhosting, there may be some restrictions about .htaccess, forbidden some commands.

I have the same problem with loading avatars and I figured, my webhosting has disallowed almost all commands in this htaccess - Options -ExecCGI, AddHandler and php_flag.

If I delete or comment these lines, the images shows. But how I preserve this security improvement?

solis32 avatar Dec 21 '17 22:12 solis32