Why PHP is parsing not only .php

To: debian-security@lists.debian.org
Subject: Why PHP is parsing not only .php
From: Yoss <bartek@milc.pl>
Date: Thu, 3 Apr 2003 12:43:44 +0200
Message-id: <[🔎] 20030403104344.GA24477@milc.com.pl>

Hello.
Please, take a look at this:
http://www.milc.com.pl/aa.php.txt

Why PHP is parsing file with ".php.txt" extension? I think that is a
security hole, because in easy way we can imagine that thereis php
script that should allow to upload only .txt files. 99% of coders will
check this with /.+?\.txt$/ because this is logic, that php script is
everything what ends with ".php". 
Is there any way to prevent such a situation that not only /.+?\.php/ is
parsed by PHP?
If you need any additional informations (config files, or something) let
me know, I will send it with pleasure.

-- 
Bartłomiej Butyn aka Yoss
Nie ma tego złego co by na gorsze nie wyszło.

Reply to:

Follow-Ups:
- Re: Why PHP is parsing not only .php
  - From: Bart-Jan Vrielink <bartjan@vrielink.net>
- Re: Why PHP is parsing not only .php
  - From: Chris Francy <francyci@yahoo.com>

Prev by Date: Re: RES: removing portsentry routes
Next by Date: Re: Why PHP is parsing not only .php
Previous by thread: Re: RES: removing portsentry routes
Next by thread: Re: Why PHP is parsing not only .php
Index(es):
- Date
- Thread