Dealing with Double File Extensions

This website contains links to software which is either no longer maintained or will be supported only until the end of 2019 (CKFinder 2). For the latest documentation about current CKSource projects, including software like CKEditor 4/CKEditor 5, CKFinder 3, Cloud Services, Letters, Accessibility Checker, please visit the new documentation website.

If you look for an information about very old versions of CKEditor, FCKeditor and CKFinder check also the CKEditor forum, which was closed in 2015. If not, please head to StackOverflow for support.

(CHeckDoubleExtension replaced with {{{config}}} variable)
 
Line 7: Line 7:
 
If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded.
 
If <code>php</code> is added to the '''denied extensions''' list, a file named <code>foo.php</code> cannot be uploaded. If <code>rar</code> (or any other) extension is added to the '''allowed extensions''' list, one can upload a file named <code>foo.rar</code>. The file <code>foo.php.rar</code> has a <code>rar</code> extension so in theory, it can also be uploaded.
  
Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. In this approach uploading <code>foo.php.rar</code> would be denied, because <code>php</code> can be found on the denied extensions list.
+
Under some circumstances Apache can treat the <code>foo.php.rar</code> file just like any other PHP script and execute it. If <code>{{{config}}}</code> is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot ('''.''') is replaced with an underscore ('''_'''). So the uploaded file <code>foo.php.rar</code> will be renamed into <code>foo_php.rar</code>.

Latest revision as of 15:20, 21 December 2012

Due to security issues with Apache modules it is recommended to leave the following setting enabled: {{{code}}}

How does it work? Suppose the following scenario:

If php is added to the denied extensions list, a file named foo.php cannot be uploaded. If rar (or any other) extension is added to the allowed extensions list, one can upload a file named foo.rar. The file foo.php.rar has a rar extension so in theory, it can also be uploaded.

Under some circumstances Apache can treat the foo.php.rar file just like any other PHP script and execute it. If {{{config}}} is enabled, each part of the file name after a dot is checked, not only the last part. If extension is disallowed, the dot (.) is replaced with an underscore (_). So the uploaded file foo.php.rar will be renamed into foo_php.rar.

This page was last edited on 21 December 2012, at 15:20.