httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Disable multiple file extension support?
Date Fri, 26 May 2006 01:08:45 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The folks at Drupal have apparently just discovered that
something.php.bar is executed as PHP, and, thus, checking to see if a
file ends with .php is not sufficient to ensure that their file upload
feature can't be exploited.

In fact, they have a whitelist, and check to see the files end only with
stuff on the whitelist, so it's a little more robust than that, but
still fairly easy to get around.

I've been asked to pass on a request for a configuration directive to
disable the support for multiple file extensions - that is, ensure that
only the final file extension is honored when determining how to handle
a file.

I haven't thought though all the implications of such a directive, nor
do I know how feasible it is. But I've passed on the request.

- --Rich
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdlUdXP03+sx4yJMRAoNjAJ4u5ZWisCH/tvp815nDWV5nsVlN8QCfdFC1
xObWe9eolhXx0ila5ucjfOY=
=OlDX
-----END PGP SIGNATURE-----

Mime
View raw message