[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine

On Fri, 2012-10-26 at 13:18 +0200, Ondřej Surý wrote:
> + It is also advised that
> + you check your custom configuration whether it's not vulnerable to
> + foo.php.jpeg attacks.  The php5_cgi configuration snippet can be used
> + as base - it's important to use FilesMatch or Files directive to
> + limit the handling to the last extension.
Can we perhaps explain a bit more, what the foo.php.jpeg attack is? The
last sentence hints it already a bit,... but I guess without clear
explanation people may simply skip it.

> I think it became clear that we are stuck with no solution which would
> work for anyone
Do you agree... that we should work on some hopefully
general-everything-works framework for jessie?


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: