apache - Disable all CGI (php, perl, …) for a directory using .htaccess

Question

I have a directory where users can upload files.

To avoid security issues (e.g. somebody uploading a malicious php script), I currently change the files' extension by appending .data for example, but then when downloading the file, they have to manually remove the .data.

Another common solution is to upload the files in a directory that is not served by Apache, and have a php script manage all downloads by calling readfile().

What I'd like to do is to simply disallow execution of any scripts (php, perl, cgi scripts, whatever I may install in the future) in the upload folder. This SO answer suggests adding the following line in a .htaccess file in that folder:

SetHandler default-handler

However, in my case this has no effect (the example php script I put in that folder is still executed). What am I doing wrong?

Apache configuration

The machine is a VPS (Virtual Private Server) running Debian GNU/Linux 6.0.7 (squeeze), and as far as I can remember (I note down all commands I run on that server, so my "memory" should be pretty accurate), I dindn't change anything in apache2 configuration, appart from running sudo apt-get install php5, and creating the the file /etc/apache2/sites-enabled/mysite.com with the following contents:

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  ServerName  mysite.com
  ServerAlias www.mysite.com

  DocumentRoot /home/me/www/mysite.com/www/
  <Directory />
    Options FollowSymLinks
    AllowOverride All 
  </Directory>
  <Directory /home/me/www/mysite.com/www/>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All 
    Order allow,deny
    allow from All
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Answer 1

Put this in your .htaccess:

<Files *>
    # @mivk mentionned in the comments that this may break
    # directory indexes generated by Options +Indexes.
    SetHandler default-handler
</Files>

But this has a few security holes: one can upload a .htaccess in a subdirectory, and override these settings, and they might also overwrite the .htaccess file itself!

If you're paranoid that the behaviour of the option should change in the future, put this in your /etc/apache2/sites-enabled/mysite.com

    <Directory /home/me/www/upload/>
            # Important for security, prevents someone from
            # uploading a malicious .htaccess
            AllowOverride None

            SetHandler none
            SetHandler default-handler

            Options -ExecCGI
            php_flag engine off
            RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
            <Files *>
                    AllowOverride None

                    SetHandler none
                    SetHandler default-handler

                    Options -ExecCGI
                    php_flag engine off
                    RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
            </Files>
    </Directory>

If you can't modify the apache configuration, then put the files in a .htaccess with the following directory structure:

/home/me/www/
          |- myuploadscript.php
          |- protected/
              |- .htaccess
              |- upload/
                  |- Uploaded files go here

That way, nobody should be able to overwrite your .../protected/.htaccess file since their uploads go in a subdirectory of .../protected, not in protected itself.

AFAICT, you should be pretty safe with that.