Re: Possible release note for systems running PHP through CGI.

To: Steven Chamberlain <steven@pyro.eu.org>
Cc: Charles Plessy <plessy@debian.org>, debian-devel@lists.debian.org, debian-release <debian-release@lists.debian.org>
Subject: Re: Possible release note for systems running PHP through CGI.
From: Wouter Verhelst <w@uter.be>
Date: Mon, 20 Aug 2012 15:35:51 +0200
Message-id: <[🔎] 20120820133551.GB7373@grep.be>
In-reply-to: <[🔎] 50322951.30900@pyro.eu.org>
References: <[🔎] 20120819021726.GC20875@falafel.plessy.net> <[🔎] 20120820070213.GB4732@grep.be> <[🔎] 50322951.30900@pyro.eu.org>

On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
> On 20/08/12 08:02, Wouter Verhelst wrote:
> > On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
> >>  - In Squeeze, using default configurations, files with ".php" in their name
> >>    such as "foo.php.jpeg" are executed as PHP scripts by the Apache web servers
> >>    runing PHP scripts through php5-cgi.
> > 
> > Maybe that's because it's expected they would be PHP scripts emitting
> > JPEG files, not plain JPEG files? This seems like a feature to me, not a
> > bug. Why was support for that removed?
> 
> Yes it's possible some people rely on that behaviour, e.g. serving JPEG
> data from PHP scripts named like foo.php.jpeg.
> 
> But some sites accept file uploads with arbitrary names, perhaps
> expected to be a JPEG image, but actually named bar.php.jpeg and
> containing malicious server-side PHP which they could execute from the
> browser.

Don't Do That Then(TM).

There are APIs for many server-side languages, including PHP, that allow
you to generate a filename for something a user uploads. If you rely on
the name as specified by a user, you not only invite this kind of
problems, but also directory traversals and similar things. Scripts not
using those APIs are buggy scripts, plain and simple. Fixing those bugs
should happen in the script, not by mucking about with the default
webserver configuration.

The right solution to this problem is instead to write your upload
scripts so that they
- Store uploads in a directory which is served by the webserver, but
  without allowing any kind of script execution (i.e., "Options
  -ExecCGI" and similar things for other scripting environments and/or
  webservers)
- Use a server-generated filename, and throw away whatever the user
  sent. If you do still need the user-specified filename for some weird
  reason, then store it in a database.

Alternatively, you could only allow trusted users to upload files (but
obviously, that isn't always a solution).

Writing secure code for the web is hard; fixing that isn't really
possible. Now if some change were to make it possible to improve
security without unnecessarily impacting things that actually matter,
then I'd be all for it. But in this case, I'm not sure the benefits
outweigh the costs.

[...]
-- 
The volume of a pizza of thickness a and radius z can be described by
the following formula:

pi zz a

Reply to:

Follow-Ups:
- Re: Possible release note for systems running PHP through CGI.
  - From: Steven Chamberlain <steven@pyro.eu.org>
- Re: Possible release note for systems running PHP through CGI.
  - From: md@Linux.IT (Marco d'Itri)

References:
- Possible release note for systems running PHP through CGI.
  - From: Charles Plessy <plessy@debian.org>
- Re: Possible release note for systems running PHP through CGI.
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Possible release note for systems running PHP through CGI.
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Re: Possible release note for systems running PHP through CGI.
Next by Date: Re: can we (fully) fix/integrate NetworkManager (preferred) or release-goal its decommissioning
Previous by thread: Re: Possible release note for systems running PHP through CGI.
Next by thread: Re: Possible release note for systems running PHP through CGI.
Index(es):
- Date
- Thread