On Mon, May 4, 2009 at 8:31 PM, Tomasz Pala <[email protected]> wrote: > I know only one application having direct web access to uploaded data: > coppermine-gallery (Alias /cpg/albums /var/lib/coppermine-gallery/albums) > > I've created index.php.jpg and the file was fetched (not parsed and > executed) - that's probably due to registered mime-type. Conclusion #1: > - if webapp cares about file extension, nothing bad should happen. > > OK, let's assume our webapp doesn't check anything: mv index.php.jp{g,} > Now the Bad File indeed is executed. Let's try to fix our webapp: > > http://cvs.pld-linux.org/cgi-bin/cvsweb/packages/coppermine-gallery/coppermine-gallery-apache.conf?r1=1.4&r2=1.5 > > tadam. I think that's the way upload dirs should be protected.
I don't think that's a proper solution. It might be ok for php apps but putting php_* inside a Perl or Python tool is a no-no. glen suggested something like "SetHandler DoNothing" (that's what Drupal does - set handler to a non-existent action to disable all parsers). -- Patryk Zawadzki _______________________________________________ pld-devel-en mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
