httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: Disable multiple file extension support?
Date Fri, 26 May 2006 01:44:45 GMT
On 5/25/06, Rich Bowen <rbowen@rcbowen.com> wrote:
> The folks at Drupal have apparently just discovered that
> something.php.bar is executed as PHP, and, thus, checking to see if a
> file ends with .php is not sufficient to ensure that their file upload
> feature can't be exploited.
>
> In fact, they have a whitelist, and check to see the files end only with
> stuff on the whitelist, so it's a little more robust than that, but
> still fairly easy to get around.
>
> I've been asked to pass on a request for a configuration directive to
> disable the support for multiple file extensions - that is, ensure that
> only the final file extension is honored when determining how to handle
> a file.
>
> I haven't thought though all the implications of such a directive, nor
> do I know how feasible it is. But I've passed on the request.

You can pass back
<FilesMatch \.php$>
SetHandler php-script
</FilesMatch>
(in place of any other method of activating php)

Yes, this confuses many people who aren't used to the fact that a file
can have more than one extension.  But I believe it is easy enough to
deal with when you know about it.  Given the existence of
<FilesMatch>, I don't think we really need to add an option to
AddHandler/AddType/etc.

(I'm trying not to comment about the general wisdom of having a
file-upload area that has any kind of dynamic processing enabled in
any way...)

Joshua.

Mime
View raw message