On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote: > On 20/08/12 08:02, Wouter Verhelst wrote: > > On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote: > >> - In Squeeze, using default configurations, files with ".php" in their > >> name > >> such as "foo.php.jpeg" are executed as PHP scripts by the Apache web > >> servers > >> runing PHP scripts through php5-cgi. > > > > Maybe that's because it's expected they would be PHP scripts emitting > > JPEG files, not plain JPEG files? This seems like a feature to me, not a > > bug. Why was support for that removed? > > Yes it's possible some people rely on that behaviour, e.g. serving JPEG > data from PHP scripts named like foo.php.jpeg. > > But some sites accept file uploads with arbitrary names, perhaps > expected to be a JPEG image, but actually named bar.php.jpeg and > containing malicious server-side PHP which they could execute from the > browser.
Don't Do That Then(TM). There are APIs for many server-side languages, including PHP, that allow you to generate a filename for something a user uploads. If you rely on the name as specified by a user, you not only invite this kind of problems, but also directory traversals and similar things. Scripts not using those APIs are buggy scripts, plain and simple. Fixing those bugs should happen in the script, not by mucking about with the default webserver configuration. The right solution to this problem is instead to write your upload scripts so that they - Store uploads in a directory which is served by the webserver, but without allowing any kind of script execution (i.e., "Options -ExecCGI" and similar things for other scripting environments and/or webservers) - Use a server-generated filename, and throw away whatever the user sent. If you do still need the user-specified filename for some weird reason, then store it in a database. Alternatively, you could only allow trusted users to upload files (but obviously, that isn't always a solution). Writing secure code for the web is hard; fixing that isn't really possible. Now if some change were to make it possible to improve security without unnecessarily impacting things that actually matter, then I'd be all for it. But in this case, I'm not sure the benefits outweigh the costs. [...] -- The volume of a pizza of thickness a and radius z can be described by the following formula: pi zz a -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120820133551.gb7...@grep.be