(Created page with '{{Ckfinder_2.x Double extensions Description|code=<pre>ForceSingleExtension = true;</pre>}} It can be safely disabled on IIS.') |
|||
Line 1: | Line 1: | ||
{{Ckfinder_2.x Double extensions Description|code=<pre>ForceSingleExtension = true;</pre>}} | {{Ckfinder_2.x Double extensions Description|code=<pre>ForceSingleExtension = true;</pre>}} | ||
+ | |||
It can be safely disabled on IIS. | It can be safely disabled on IIS. |
Revision as of 12:44, 18 May 2010
Due to security issues with Apache modules it is recommended to leave the following setting enabled:
ForceSingleExtension = true;
How does it work? Suppose the following scenario:
If php
is added to the denied extensions list, a file named foo.php
cannot be uploaded. If rar
(or any other) extension is added to the allowed extensions list, one can upload a file named foo.rar
. The file foo.php.rar
has a rar
extension so in theory, it can also be uploaded.
Under some circumstances Apache can treat the foo.php.rar
file just like any other PHP script and execute it. If {{{config}}}
is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot (.) is replaced with an underscore (_). So the uploaded file foo.php.rar
will be renamed into foo_php.rar
.
It can be safely disabled on IIS.