(Template contents proof-read and formatted) |
|||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | {{#CUSTOMTITLE:Dealing with Double File Extensions}} | ||
Due to security issues with Apache modules it is recommended to leave the following setting enabled: | Due to security issues with Apache modules it is recommended to leave the following setting enabled: | ||
{{{code}}} | {{{code}}} | ||
+ | |||
How does it work? Suppose the following scenario: | How does it work? Suppose the following scenario: | ||
If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded. | If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded. | ||
− | Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code> | + | Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot ('''.''') is replaced with an underscore ('''_'''). So the uploaded file <code>foo.php.rar</code> will be renamed into <code>foo_php.rar</code>. |
Latest revision as of 15:20, 21 December 2012
Due to security issues with Apache modules it is recommended to leave the following setting enabled: {{{code}}}
How does it work? Suppose the following scenario:
If php
is added to the denied extensions list, a file named foo.php
cannot be uploaded. If rar
(or any other) extension is added to the allowed extensions list, one can upload a file named foo.rar
. The file foo.php.rar
has a rar
extension so in theory, it can also be uploaded.
Under some circumstances Apache can treat the foo.php.rar
file just like any other PHP script and execute it. If {{{config}}}
is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot (.) is replaced with an underscore (_). So the uploaded file foo.php.rar
will be renamed into foo_php.rar
.