(ForceSingleExtension replaced the {{{config}}} variable) |
|||
Line 1: | Line 1: | ||
− | {{Ckfinder_2.x Double extensions Description|code=<pre>ForceSingleExtension = true;</pre>}} | + | {{Ckfinder_2.x Double extensions Description|code=<pre>ForceSingleExtension = true;</pre>|config=ForceSingleExtension}} |
It can be safely disabled on IIS. | It can be safely disabled on IIS. |
Revision as of 13:13, 29 March 2011
Due to security issues with Apache modules it is recommended to leave the following setting enabled:
ForceSingleExtension = true;
How does it work? Suppose the following scenario:
If php
is added to the denied extensions list, a file named foo.php
cannot be uploaded. If rar
(or any other) extension is added to the allowed extensions list, one can upload a file named foo.rar
. The file foo.php.rar
has a rar
extension so in theory, it can also be uploaded.
Under some circumstances Apache can treat the foo.php.rar
file just like any other PHP script and execute it. If ForceSingleExtension
is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot (.) is replaced with an underscore (_). So the uploaded file foo.php.rar
will be renamed into foo_php.rar
.
It can be safely disabled on IIS.