My site loads a bunch of images from the uploads folder, using direct URLs, such as:
http://www.example.com/wp-content/uploads/some.image.png
I'm trying to figure out a remote script execution issue, and one of the things recommended on https://codex.wordpress.org/Hardening_WordPress is to prevent script execution in the uploads folder, using the .htaccess file:
# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all
</Files>
My site is running on IIS, so to acheive the same result, I removed the PHP handler for the uploads folder and all it's subfolders:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="php-7.1.7" />
</handlers>
</system.webServer>
</configuration>
However, if I use the web.config file, loading an image using a direct URL leads to a http 500 error. Consequently, themes don't load properly.
How would I go about preventing PHP script execution in the uploads folder, without breaking static file loading?
Adding <add name="StaticFile" /> below <remove name="php-7.1.7" /> makes no difference.
Create a web.config inside upload folder and paste in the following xml:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read">
</handlers>
</system.webServer>
</configuration>
Related
In NopCommerce 4.0 application I am trying to deploy an PHP application in subfolder.
So that the URL for subfolder is like mydomain.com/blog/.
I have added only one file to the blog folder as index.php.
I want the url for this page to be mydomain.com/blog/index.php.
Please note that I have already remove the blog from the RouteProvider.cs.
How can I process the index.php in the NOP 4.0 folder?
I got this issue solved by removing the route from the code and adding the below code in the web.config of the sub-folder
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<remove name="aspNetCore" />
</handlers>
</system.webServer>
</configuration>
I would like to set up rules in IIS7 for static content caching in my ASP.NET website.
I have seen these articles, which details how to do it using the <clientCache /> element in web.config:
Client Cache <clientCache> (IIS.NET)
Add Expires or Cache Control Header to static content in IIS (Stack Overflow)
However, this setting appears to apply globally to all static content. Is there a way to do this just for certain directories or extensions?
For example, I may have two directories which need separate cache settings:
/static/images
/content/pdfs
Is it possible to set up rules for sending cache headers (max-age, expires, etc) based on extensions and folder paths?
Please note, I must be able to do this via web.config because I don't have access to the IIS console.
You can set specific cache-headers for a whole folder in either your root web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!-- Note the use of the 'location' tag to specify which
folder this applies to-->
<location path="images">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:15" />
</staticContent>
</system.webServer>
</location>
</configuration>
Or you can specify these in a web.config file in the content folder:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:15" />
</staticContent>
</system.webServer>
</configuration>
I'm not aware of a built in mechanism to target specific file types.
You can do it on a per file basis. Use the path attribute to include the filename
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="YourFileNameHere.xml">
<system.webServer>
<staticContent>
<clientCache cacheControlMode="DisableCache" />
</staticContent>
</system.webServer>
</location>
</configuration>
I had the same issue.For me the problem was how to configure a cache limit to images.And i came across this site which gave some insights to the procedure on how the issue can be handled.Hope it will be helpful for you too
Link:[https://varvy.com/pagespeed/cache-control.html]
This seems pretty simple, but for the life of me I can't figure it out.
Using ASP.NET Classic (ie non-MVC), say I have a website www.foo.com that has an /api folder, and in that folder is the file api.aspx (i.e. you hit www.foo.com/api/api.aspx)
How can I set things up (either via Web.config rewrite or via MapPageRoute() in Global.asax.cs) so that www.foo.com/api
hits /api/api.aspx not /api/Default.aspx
doesn't show api.aspx in the browser's URL box (I just want to see either www.foo.com/api or www.foo.com/api/)
I would have thought that this would work:
routes.MapPageRoute("ApiRoute","api","~/Api/Api.aspx");
but it doesn't... I still hit /api/Default.aspx
EDIT:
I also want to support /abc/abc.aspx and /thing/thing.aspx, mostly so when I have these pages open in the IDE they're not all named "Default.aspx" and I can't quickly see which page is which.
I've created a small demo project. Each folder I want to set a specific default document I add a web.config file.
project structure
Each web.config file defines a default file for it's folder.
web.config in folderA
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<defaultDocument enabled="true">
<files>
<clear/>
<add value="a.aspx"/>
</files>
</defaultDocument>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Accordingly for folderB
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<defaultDocument enabled="true">
<files>
<clear/>
<add value="b.aspx"/>
</files>
</defaultDocument>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
ATTENTION
When I did some tests in my development webServer it did not work. But
when I published my project to my local IIS instance it did work out
all right.
local IIS deployment
My application has this structure
MyApplication
-Themes
In my application's webconfig I remove the UrlAuthorization module and add my own:
<modules runAllManagedModulesForAllRequests="true">
<remove name="UrlAuthorization" />
<add name="MyModule" type="MyType, MyNamespace" preCondition="managedHandler" />
</modules>
My Theme folder has this webconfig (this is the complete webconfig):
<?xml version="1.0"?>
<configuration>
<system.web>
<pages styleSheetTheme="" validateRequest="false" />
</system.web>
</configuration>
I have this deployed in 3 environments. 2 of them works correctly but in one of them I have the UrlAuthorization module working when I make a request do a file inside the Theme folder.
I know that the UrlAuthorization is active because I do not get the resource I requested, but an URL /ReturnURl/... path
The < remove> tag is working because removing it causes the whole request to be redirect to the /ReturnUrl
Is there any reason that may cause this behavior to happen only in this machine?
I deployed all of them and I do not remember making and different task on any of them
thanks!
FYI, it was an issue due to the folders permissions in the file system. I made the environments identical and it worked.
ASP.NET allows for Web.Config files at sub-levels within a site structure. However, I can't find any articles discussing how this looks from code.
In the Orchard CMS there are config files all over the shop. There's even a config file in a folder containing only .CSS files! I'm new to larger-scale ASP.NET apps so...
Can someone just tell me if I'm right in my assumptions.
The config file can affect server settings, and hence how a server processes a request to a resource further down a site structure.
From a code point of view, if the same line of code in the same class queries the config file during a request for http://level1.resource then it could read a different value to when the same code executes during a request for http://level1/level2.resource (if there is a web.config at level2)
Overall, the way it works is based on the current request path.
Right?
you can use the multiple web.config files in the sub-folders level. Each folder will contains its own web.config. Multiple Web.config files can't be used at same level.
Below is code for root folder web.config
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<appSettings>
<add key="root" value="This is from root web.config"></add>
<add key="MySetting" value="This my settings is from root web.config"></add>
</appSettings>
</configuration>
and following is code for sub folder web.config.
<?xml version="1.0"?>
<configuration>
<system.web>
</system.web>
<appSettings>
<add key="sub" value="This is from sub web.config settings"></add>
<add key="MySetting" value="This my settings is from sub folder web.config"></add>
</appSettings>
</configuration>
In C# , you can access the settigns of different configuration files as below.
System.Web.Configuration.WebConfigurationManager.AppSettings.Get("Root");
System.Web.Configuration.WebConfigurationManager.AppSettings.Get("MySetting")
This is an old question, but I just asked myself the same one specifically in the Orchard CMS context as per the original post, and I've got an Orchard specific answer.
In the root of Orchard CMS, there's a web.config that want to prevent all users from requesting individual static files. For example, you don't want people to download placement.info or theme.txt from the Theme folders. This is a good "block everything, allow what you need" approach.
<handlers accessPolicy="Script">
<!-- Clear all handlers, prevents executing code file extensions or returning any file contents. -->
<clear />
<!-- Return 404 for all requests via a managed handler. The URL routing handler will substitute the MVC request handler when routes match. -->
<add name="NotFound" path="*" verb="*" type="System.Web.HttpNotFoundHandler" preCondition="integratedMode" requireAccess="Script" />
[...]
</handlers>
The thing is, in subfolders such as Scripts (containing static js files), Styles (containing only lots of static css files), or Content (contains static images for example), you of course want to allow the web browser to request an individual file. So in these subfolders, you have an extra web.config that looks like this:
<handlers accessPolicy="Script,Read">
<!-- For any request to a file exists on disk, return it via native http module. AccessPolicy="Script" above is to allow for a managed 404 page. -->
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule" preCondition="integratedMode" resourceType="File" requireAccess="Read" />
</handlers>
PS: I'm currently playing with Themes, and for some reason I've had to add <remove name="StaticFile"/> before each <add name="StaticFile"...> in all these child web.config.