[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

On 20/08/12 14:35, Wouter Verhelst wrote:
> On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
>> Yes it's possible some people rely on that behaviour, e.g. serving JPEG
>> data from PHP scripts named like foo.php.jpeg.

Sorry, I was wrong.  For extensions like .jpeg with a known MIME type it
does not work.  So, people are unlikely to be relying on this effect.

[🔎] CALjhHG8Dd+nv2UvGJBvrtuBDnA3M+o1afo0BQYLyFPqkHujZTg@mail.gmail.com">http://lists.debian.org/[🔎] CALjhHG8Dd+nv2UvGJBvrtuBDnA3M+o1afo0BQYLyFPqkHujZTg@mail.gmail.com

>> But some sites accept file uploads with arbitrary names, [...]
> Don't Do That Then(TM).

Yes I very much agree...

> [...] write your upload scripts so that they
> - Store uploads in a directory which is served by the webserver, but
>   without allowing any kind of script execution (i.e., "Options
>   -ExecCGI" and similar things for other scripting environments and/or
>   webservers)

I believe -ExecCGI would work for php5-cgi but not for
libapache2-mod-php5 (whose handler relies on MIME types).  To protect
against that, I notice our drupal6 packages create an .htaccess file in
the file uploads directory, with:

> SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

(Advisory is at https://drupal.org/files/sa-2006-006/advisory.txt )

That also shows what a persistent problem this has been in the LAMP
webserver stack for many years.  I really hope FastCGI/FPM is an
opportunity to put this right, among other things.

Steven Chamberlain

Reply to: