On 20/08/12 08:02, Wouter Verhelst wrote: > On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote: >> - In Squeeze, using default configurations, files with ".php" in their name >> such as "foo.php.jpeg" are executed as PHP scripts by the Apache web >> servers >> runing PHP scripts through php5-cgi. > > Maybe that's because it's expected they would be PHP scripts emitting > JPEG files, not plain JPEG files? This seems like a feature to me, not a > bug. Why was support for that removed?
Yes it's possible some people rely on that behaviour, e.g. serving JPEG data from PHP scripts named like foo.php.jpeg. But some sites accept file uploads with arbitrary names, perhaps expected to be a JPEG image, but actually named bar.php.jpeg and containing malicious server-side PHP which they could execute from the browser. If that behaviour is changed, then where the PHP preprocessor was previously invoked because of the detected MIME type, it would now serve up the source code instead (leading to information disclosure). I imagine the 'safest' way to handle this is to preserve the original behaviour, still recognising *.php* as PHP scripts, but deny access to (through ACLs or a dummy handler) files containing ".php." in their name, unless the filename actually ends in ".php" /If/ that could work, it would limit any disruption to the two cases where it might be a security issue. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50322951.30...@pyro.eu.org