Template:Ckfinder 2.x Double extensions Description - Revision history

Wiktor at 14:20, 21 December 2012

2012-12-21T14:20:50Z

Anna: CHeckDoubleExtension replaced with {{{config}}} variable

2011-03-29T12:10:24Z

CHeckDoubleExtension replaced with {{{config}}} variable

Anna: Custom title added

2011-03-29T08:49:54Z

Custom title added

Anna: Template contents proof-read and formatted

2011-03-28T14:25:38Z

Template contents proof-read and formatted

Wiktor: moved Template:Ckfinder Double extensions Description 2.x to Template:Ckfinder 2.x Double extensions Description

2010-05-14T18:50:38Z

moved Template:Ckfinder Double extensions Description 2.x to Template:Ckfinder 2.x Double extensions Description

Wiktor: Created page with 'Due to security issues with Apache modules, it is recommended to leave the following setting enabled: {{{code}}} How does it work? Suppose the following: If "php" is on the deni…'

2010-05-14T18:13:24Z

Created page with 'Due to security issues with Apache modules, it is recommended to leave the following setting enabled: {{{code}}} How does it work? Suppose the following: If "php" is on the deni…'

New page

Due to security issues with Apache modules, it is recommended to leave the following setting enabled:
{{{code}}}
How does it work? Suppose the following:

If "php" is on the denied extensions list, a file named foo.php cannot be uploaded. If "rar" (or any other) extension is allowed, one can upload a file named foo.rar. The file foo.php.rar has "rar" extension so, in theory, it can be also uploaded.

In some conditions Apache can treat the foo.php.rar file just like any PHP script and execute it. If CheckDoubleExtension is enabled, each part of the file name after a dot is checked, not only the last part. In this way, uploading foo.php.rar would be denied, because "php" is on the denied extensions list.

← Older revision		Revision as of 14:20, 21 December 2012
Line 7:		Line 7:
	If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded.		If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded.

−	Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. ~~In this approach uploading~~ <code>foo.php.rar</code> ~~would~~ be ~~denied, because~~ <code>~~php~~</code> ~~can be found on the denied extensions list~~.	+	Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot ('''.''') is replaced with an underscore ('''_'''). So the uploaded file <code>foo.php.rar</code> will be renamed into <code>foo_php.rar</code>.

← Older revision		Revision as of 12:10, 29 March 2011
Line 7:		Line 7:
	If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded.		If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded.

−	Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>~~CheckDoubleExtension~~</code> is enabled, each part of the file name after a dot is checked, not only the last part. In this approach uploading <code>foo.php.rar</code> would be denied, because <code>php</code> can be found on the denied extensions list.	+	Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. In this approach uploading <code>foo.php.rar</code> would be denied, because <code>php</code> can be found on the denied extensions list.

@@ Line 1: / Line 1: @@
 Due to security issues with Apache modules it is recommended to leave the following setting enabled:
 {{{code}}}
 How does it work? Suppose the following scenario:

@@ Line 1: / Line 1: @@
-Due to security issues with Apache modules, it is recommended to leave the following setting enabled:
+Due to security issues with Apache modules it is recommended to leave the following setting enabled:
 {{{code}}}
-How does it work? Suppose the following:
+How does it work? Suppose the following scenario:
-If "php" is on the denied extensions list, a file named foo.php cannot be uploaded. If "rar" (or any other) extension is allowed, one can upload a file named foo.rar. The file foo.php.rar has "rar" extension so, in theory, it can be also uploaded.
+If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded.
-In some conditions Apache can treat the foo.php.rar file just like any PHP script and execute it. If CheckDoubleExtension is enabled, each part of the file name after a dot is checked, not only the last part. In this way, uploading foo.php.rar would be denied, because "php" is on the denied extensions list.
+Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>CheckDoubleExtension</code> is enabled, each part of the file name after a dot is checked, not only the last part. In this approach uploading <code>foo.php.rar</code> would be denied, because <code>php</code> can be found on the denied extensions list.

← Older revision	Revision as of 18:50, 14 May 2010
(No difference)