The Hunting of the Snark

category: encategory: tech created: 25. Apr. 2005

Apache, WEB DAV and PHP

On one machine i administer, i run Apache (2.0.52), PHP (5) and WEB DAV. I want to be able to generate dynamic content in some dirs with php. Other directories are supposed to be a DAV up- and download store for members of a project workgroup. While the People with access to this area are well known and basicaly trustable, i don't want to give them the ability to run arbitrary code with the permissions of the www-daemon account by just dropping php scrips in the shared area.

When reading the Apache docs, one thinks it should be possible to use some combinations of the directives RemoveType, RemoveHandler or even RemoveOutputFilter - maybe in combination with defining new ones via SetType, SetHandler or SetOutputFilter for the directory or location shared via DAV. But that did not work at all...

The only per-location directive that is widely suggested for this ist ForceType text/plain (or application/octetstream) but i don't want to use that because the DAV share would be a lot less usable (in the non-dav view visible to non authenticated users) if mime types for html, gif, jpeg, txt, ... were not properly assigned to the respective filetypes that shall be uploaded.

Another hint was to set up a seperate virtual server (on another port or with another hostname), configured for DAV acess and without php. But that did not make sense in our project setup either.


The Files directive seems to be the only way to properly restrict just php-style files for just a specific location. For the DAV view to this Directory i use:

<Location /path/to/dir>
  Dav On
  AuthType Basic
  AuthName upload
  AuthUserFile /path/to/users/file
  AuthGroupFile /path/to/group/file
  require group uploadgrp
  <Files *.php>
    ForceType text/plain
  <Files *.phtml>
    ForceType text/plain
  <Files *.php3>
    ForceType text/plain
  <Files *.php4>
    ForceType text/plain
  <Files *.php5>
    ForceType text/plain
You have to make sure however, you catch all of the active extensions - i hope i did...

(c) Heiko Hellweg 2005 - 2009 top