Due to security issues with Apache modules it is recommended to leave the following setting enabled:
$config['CheckDoubleExtension'] = true ;
How does it work? Suppose the following scenario:
If php
is added to the denied extensions list, a file named foo.php
cannot be uploaded. If rar
(or any other) extension is added to the allowed extensions list, one can upload a file named foo.rar
. The file foo.php.rar
has a rar
extension so in theory, it can also be uploaded.
Under some circumstances Apache can treat the foo.php.rar
file just like any other PHP script and execute it. If {{{config}}}
is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot (.) is replaced with an underscore (_). So the uploaded file foo.php.rar
will be renamed into foo_php.rar
.