httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <>
Subject Re: Disable multiple file extension support?
Date Fri, 26 May 2006 02:06:33 GMT
Hash: SHA1

Joshua Slive wrote:
> On 5/25/06, Rich Bowen <> wrote:
>> The folks at Drupal have apparently just discovered that
>> is executed as PHP, and, thus, checking to see if a
>> file ends with .php is not sufficient to ensure that their file upload
>> feature can't be exploited.
>> In fact, they have a whitelist, and check to see the files end only with
>> stuff on the whitelist, so it's a little more robust than that, but
>> still fairly easy to get around.
>> I've been asked to pass on a request for a configuration directive to
>> disable the support for multiple file extensions - that is, ensure that
>> only the final file extension is honored when determining how to handle
>> a file.
>> I haven't thought though all the implications of such a directive, nor
>> do I know how feasible it is. But I've passed on the request.
> You can pass back
> <FilesMatch \.php$>
> SetHandler php-script
> </FilesMatch>
> (in place of any other method of activating php)
> Yes, this confuses many people who aren't used to the fact that a file
> can have more than one extension.  But I believe it is easy enough to
> deal with when you know about it.  Given the existence of
> <FilesMatch>, I don't think we really need to add an option to
> AddHandler/AddType/etc.

That only works if you happen to be the server administrator. If,
however, you are renting web space from someone who has php enabled
globally (this appears to be the normal Drupal user) that's not going to
solve anything.

The discussion seems to be leaning the direction of trapping the file
when it is uploaded and defanging it at that point.

Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Mozilla -


View raw message