Re: Possible release note for systems running PHP through CGI.
On Mon, Aug 20, 2012 at 03:12:14PM +0100, Steven Chamberlain wrote:
> On 20/08/12 14:35, Wouter Verhelst wrote:
> > On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
> >> Yes it's possible some people rely on that behaviour, e.g. serving JPEG
> >> data from PHP scripts named like foo.php.jpeg.
> Sorry, I was wrong. For extensions like .jpeg with a known MIME type it
> does not work. So, people are unlikely to be relying on this effect.
> >> But some sites accept file uploads with arbitrary names, [...]
> > Don't Do That Then(TM).
> Yes I very much agree...
> > [...] write your upload scripts so that they
> > - Store uploads in a directory which is served by the webserver, but
> > without allowing any kind of script execution (i.e., "Options
> > -ExecCGI" and similar things for other scripting environments and/or
> > webservers)
> I believe -ExecCGI would work for php5-cgi but not for
> libapache2-mod-php5 (whose handler relies on MIME types).
I did say "and similar things for other scripting environments" for a
> To protect against that, I notice our drupal6 packages create an .htaccess
> file in the file uploads directory, with:
> > SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Yes. This is exactly what I described above: make sure the uploads are
in a directory that disallows any kind of script execution.
The volume of a pizza of thickness a and radius z can be described by
the following formula:
pi zz a