httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 43372] New: - addhandler behavior poorly defined
Date Thu, 13 Sep 2007 04:27:31 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43372>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=43372

           Summary: addhandler behavior poorly defined
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: major
          Priority: P2
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sean@awesomeplay.com


The documentation does not at all make clear that AddType will scan a file name
for an extension instead of using the end of the filename as the extension. 
That is, the following directive:

AddHandler x-httpd-php .php

Will cause all of the following files to be marked as x-httpd-php files:

test.php
test.php.gz
test.php.html.gz
test.gz.php.html
test.php.jpg
test.php.txt

In some cases, this can result in a huge security hole when using AddHandler to
register handlers for PHP or other script/CGI engines.  Some distributions of
Apache are shipping with AddHandler directives for certain script engine modules
where AddType directives should be used, resulting in security vulnerabilities
for applications that allow users to upload files and only using extension
checks (admittedly a fault in the application, but it's apparently common).

The documentation for AddHandler simply doesn't make it obvious that this will
occur, which I believe is why many experienced Apache distribution maintainers
and administrators are using AddHandler instead of AddType when they shouldn't be.

(Note that I have filed bugs to alter the default configurations for the Apache
distributions I've found with this configuration error already.  This bug is for
a documentation enhancement, not for a change in any particular distribution's
dfault configuration.)

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message