(CHeckDoubleExtension replaced with {{{config}}} variable) |
|||
Line 7: | Line 7: | ||
If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded. | If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded. | ||
− | Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. | + | Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot ('''.''') is replaced with an underscore ('''_'''). So the uploaded file <code>foo.php.rar</code> will be renamed into <code>foo_php.rar</code>. |
Latest revision as of 15:20, 21 December 2012
Due to security issues with Apache modules it is recommended to leave the following setting enabled: {{{code}}}
How does it work? Suppose the following scenario:
If php
is added to the denied extensions list, a file named foo.php
cannot be uploaded. If rar
(or any other) extension is added to the allowed extensions list, one can upload a file named foo.rar
. The file foo.php.rar
has a rar
extension so in theory, it can also be uploaded.
Under some circumstances Apache can treat the foo.php.rar
file just like any other PHP script and execute it. If {{{config}}}
is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot (.) is replaced with an underscore (_). So the uploaded file foo.php.rar
will be renamed into foo_php.rar
.