Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 97555 invoked from network); 13 Oct 2008 09:16:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 13 Oct 2008 09:16:24 -0000 Received: (qmail 3754 invoked by uid 500); 13 Oct 2008 09:16:13 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 3735 invoked by uid 500); 13 Oct 2008 09:16:13 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 3724 invoked by uid 99); 13 Oct 2008 09:16:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Oct 2008 02:16:13 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [159.134.118.16] (HELO mail00.svc.cra.dublin.eircom.net) (159.134.118.16) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 13 Oct 2008 09:15:07 +0000 Received: (qmail 53548 messnum 2737705 invoked from network[82.141.241.217/unknown]); 13 Oct 2008 09:15:42 -0000 Received: from unknown (HELO localhost.localdomain) (82.141.241.217) by mail00.svc.cra.dublin.eircom.net (qp 53548) with SMTP; 13 Oct 2008 09:15:42 -0000 Message-ID: <48F3119A.4090702@webworks.ie> Date: Mon, 13 Oct 2008 10:15:06 +0100 From: Kae Verens User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: users@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] files ending with '.' treated as if the '.' is not there Morning all, first post from myself. If you have PHP, Perl or plain old CGI installed, and set up Apache to recognise these files with the extensions '.php', '.pl' or '.cgi', Apache will recognise the files even if the filename has a '.' at the end. For example, 'test.php.' will be run as if it is a PHP file. This causes some developers to unwittingly create insecure programs. for example, if you have a program which allows a user to rename a file, but bans server-executable extensions such as '.php', '.cgi', etc, the programmer would not automatically realise that the user can get around that by placing a '.' at the end. I'd like to know is that a bug in Apache? kae --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org