(I hope this isn't a double post, I messed up a bit with the list. if
it is.. sorry)
I've got this strange problem and I'm sure its my fault, but I just
don't find out what's wrong =)
configuration is simple. the interesting two lines are:
SecFilterSelective POST_PAYLOAD "(<\?php|<%.*%>|^#!/)"
ok. as I understand it, that should read the content of uploaded files
and check it against this simple regexp.
then I made an upload form and set debug log to 9. the relevant output
Checking signature "(<\\?php|<%.*%>|^#!/)" at POST_PAYLOAD
Checking against "test=post&test_text=asdfasdf"
ok. it uses the right regexp, but the 'payload' isn't what I expected.
thats just the post args in form of get args. what does this faked
mean? and why doesn't it check the file content? the check on
files_names works perfectly (no .php, .asp etc files can be uploaded
directly). I just don't want someone to upload a txt file with code an
logically, the regexp doesn't match, the uploaded script file lies on
the server. and that's exactly the problem I wanted to solve =)
I already did a good amount of rtfm, but didn't find very much. Only
thing I don't really understand is the SecUploadDir directive. do I
have to use this? tried but failed...
any tipps are appreciated.
ah.. I nearly forgot: