** Summary changed: - [Security] Mimetypes coming from package mime-support cannot be removed + Mimetypes coming from package mime-support cannot be removed
** Description changed: Hi! Explanation from httpd.apache.org (http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext): Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html. On several PHP-based web-applications file(-upload) filtering is based on the last file-extension. If you want to prevent php processing for malicious files one could use a pattern like \.php[45]?$ But as Apache supports "Multiple Extensions", also files like index.php.abc will be handed over to PHP preprocessor. If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, apache suggests to use "SetHandler". A PHP solution would be <FilesMatch \.php[45]?$> SetHandler application/x-httpd-php </FilesMatch> As apache2.2-common depends on mime-support it is already aware of php mime-types. Btw. this makes it totally useless to register these mime- types with file php5.conf in package libapache2-mod-php5 again. Because of the already registered mime types in /etc/mime.types you have to unregister these to only map files based on the last dot-separated part of the filename. To get rid of them you should be able to place RemoveHandler .php .php4 .php5 .phps .pht .phtml RemoveType .php .php4 .php5 .phps .pht .phtml somewhere in apache2.conf or php5.conf. Unfortunately this does not work!! Apache then still knows what do do with index.php.anydamnextension! I'm unsure what package to blame; "mime-support" for listing php mime types or "apache2.2-common" for not being able to unregister them. - - - Marcus Krause - - Member TYPO3 Security Team -- Mimetypes coming from package mime-support cannot be removed https://bugs.launchpad.net/bugs/225105 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to apache2 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
