DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43372>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43372 Summary: addhandler behavior poorly defined Product: Apache httpd-2 Version: 2.3-HEAD Platform: Other OS/Version: other Status: NEW Severity: major Priority: P2 Component: Documentation AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] The documentation does not at all make clear that AddType will scan a file name for an extension instead of using the end of the filename as the extension. That is, the following directive: AddHandler x-httpd-php .php Will cause all of the following files to be marked as x-httpd-php files: test.php test.php.gz test.php.html.gz test.gz.php.html test.php.jpg test.php.txt In some cases, this can result in a huge security hole when using AddHandler to register handlers for PHP or other script/CGI engines. Some distributions of Apache are shipping with AddHandler directives for certain script engine modules where AddType directives should be used, resulting in security vulnerabilities for applications that allow users to upload files and only using extension checks (admittedly a fault in the application, but it's apparently common). The documentation for AddHandler simply doesn't make it obvious that this will occur, which I believe is why many experienced Apache distribution maintainers and administrators are using AddHandler instead of AddType when they shouldn't be. (Note that I have filed bugs to alter the default configurations for the Apache distributions I've found with this configuration error already. This bug is for a documentation enhancement, not for a change in any particular distribution's dfault configuration.) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
