m (moved CKFinder/Developers Guide/PHP/Configuration/Security/Double file extensions to CKFinder 1.x/Developers Guide/PHP/Configuration/Security/Double file extensions) |
|||
(7 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | + | {{Ckfinder Double extensions Description|code=<pre>$config['CheckDoubleExtension'] = true ;</pre>}} | |
− | <pre> | ||
− | $config['CheckDoubleExtension'] = true; | ||
− | </pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Latest revision as of 07:46, 28 May 2010
Due to security issues with Apache modules, it is recommended to leave the following setting enabled:
$config['CheckDoubleExtension'] = true ;
How does it work? Suppose the following:
If "php" is on the denied extensions list, a file named foo.php cannot be uploaded. If "rar" (or any other) extension is allowed, one can upload a file named foo.rar. The file foo.php.rar has "rar" extension so, in theory, it can be also uploaded.
In some conditions Apache can treat the foo.php.rar file just like any PHP script and execute it. If CheckDoubleExtension is enabled, each part of the file name after a dot is checked, not only the last part. In this way, uploading foo.php.rar would be denied, because "php" is on the denied extensions list.