Re: Possible release note for systems running PHP through CGI.
On 20/08/12 08:02, Wouter Verhelst wrote:
> On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
>> - In Squeeze, using default configurations, files with ".php" in their name
>> such as "foo.php.jpeg" are executed as PHP scripts by the Apache web servers
>> runing PHP scripts through php5-cgi.
>
> Maybe that's because it's expected they would be PHP scripts emitting
> JPEG files, not plain JPEG files? This seems like a feature to me, not a
> bug. Why was support for that removed?
Yes it's possible some people rely on that behaviour, e.g. serving JPEG
data from PHP scripts named like foo.php.jpeg.
But some sites accept file uploads with arbitrary names, perhaps
expected to be a JPEG image, but actually named bar.php.jpeg and
containing malicious server-side PHP which they could execute from the
browser.
If that behaviour is changed, then where the PHP preprocessor was
previously invoked because of the detected MIME type, it would now serve
up the source code instead (leading to information disclosure).
I imagine the 'safest' way to handle this is to preserve the original
behaviour, still recognising *.php* as PHP scripts, but deny access to
(through ACLs or a dummy handler) files containing ".php." in their
name, unless the filename actually ends in ".php"
/If/ that could work, it would limit any disruption to the two cases
where it might be a security issue.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: