Fwd: packages: php/php-mod_php.conf - match only *.php for added security by avo...

Patryk Zawadzki patrys at pld-linux.org
Mon May 4 20:57:36 CEST 2009


On Mon, May 4, 2009 at 8:31 PM, Tomasz Pala <gotar at polanet.pl> wrote:
> I know only one application having direct web access to uploaded data:
> coppermine-gallery (Alias /cpg/albums /var/lib/coppermine-gallery/albums)
>
> I've created index.php.jpg and the file was fetched (not parsed and
> executed) - that's probably due to registered mime-type. Conclusion #1:
> - if webapp cares about file extension, nothing bad should happen.
>
> OK, let's assume our webapp doesn't check anything: mv index.php.jp{g,}
> Now the Bad File indeed is executed. Let's try to fix our webapp:
>
> http://cvs.pld-linux.org/cgi-bin/cvsweb/packages/coppermine-gallery/coppermine-gallery-apache.conf?r1=1.4&r2=1.5
>
> tadam. I think that's the way upload dirs should be protected.

I don't think that's a proper solution. It might be ok for php apps
but putting php_* inside a Perl or Python tool is a no-no. glen
suggested something like "SetHandler DoNothing" (that's what Drupal
does - set handler to a non-existent action to disable all parsers).

-- 
Patryk Zawadzki


More information about the pld-devel-en mailing list