On 5/25/06, Rich Bowen <[EMAIL PROTECTED]> wrote:
The folks at Drupal have apparently just discovered that
something.php.bar is executed as PHP, and, thus, checking to see if a
file ends with .php is not sufficient to ensure that their file upload
feature can't be exploited.
In fact, they have a whitelist, and check to see the files end only with
stuff on the whitelist, so it's a little more robust than that, but
still fairly easy to get around.
I've been asked to pass on a request for a configuration directive to
disable the support for multiple file extensions - that is, ensure that
only the final file extension is honored when determining how to handle
a file.
I haven't thought though all the implications of such a directive, nor
do I know how feasible it is. But I've passed on the request.
You can pass back
<FilesMatch \.php$>
SetHandler php-script
</FilesMatch>
(in place of any other method of activating php)
Yes, this confuses many people who aren't used to the fact that a file
can have more than one extension. But I believe it is easy enough to
deal with when you know about it. Given the existence of
<FilesMatch>, I don't think we really need to add an option to
AddHandler/AddType/etc.
(I'm trying not to comment about the general wisdom of having a
file-upload area that has any kind of dynamic processing enabled in
any way...)
Joshua.
