a recent post on bugtraq hilighted an issue with how upstream has
configured apache to invoke php, namely using addhandler, which has the
behavior of matching the extension anywhere in the file. this means
that foo.php.jpg will be run as php. where this becomes an issue is web
apps that allow uploads into the webspace for images, pdfs, etc. if the
app assumes that anything.jpg is safe, this addhandler feature will
surprise it.
a fix is to replace two lines in /etc/httpd/conf.d/php.conf:
AddHandler php5-script .php
AddType text/html .php
with:
<FilesMatch \.php$>
SetHandler php5-script
ForceType text/html
</FilesMatch>
i have reported this upstream. hopefully they will see it as a problem
and address it.
> a recent post on bugtraq hilighted an issue with how upstream has > configured apache to invoke php, namely using addhandler, which has the > behavior of matching the extension anywhere in the file. this means > that foo.php.jpg will be run as php. where this becomes an issue is web > apps that allow uploads into the webspace for images, pdfs, etc. if the > app assumes that anything.jpg is safe, this addhandler feature will > surprise it.Hi Joe, Are you sure this is limited to just CentOS? I've seen that config used before on other distro's apache configs.>From the Apache 2.x Docs:--- Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imap) and the .html extension is mapped to the MIME-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html MIME-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imap imagemap file. --- So if example.php.gif is read by apache, the AddHandler for php5-script (mod_php) will take precedence over the mime-type handler for .gif (image/gif) and the file will be treated as a php script.>From that it almost sounds like it's not a bug, just apache's ownrules of precedence for handling files that match multiple extensions/mime-types. -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie
Joe Pruett wrote:> a fix is to replace two lines in /etc/httpd/conf.d/php.conf: > > AddHandler php5-script .php > AddType text/html .php >what about other AddHandlers ? for instance, AddHandler cgi-script .cgi AddHandler type-map var I had both of these on my server, and just now replaced them with similar <FilesMatch...> sections.
John R Pierce wrote on Sun, 15 Nov 2009 12:26:08 -0800:> I had both of these on my server, and just now replaced them with > similar <FilesMatch...> sections.Just a comment about the FilesMatch thing. The proposed additional ForceType will not work in there according to the httpd docs. Not that this makes a big difference. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
> i have reported this upstream. ?hopefully they will see it as a problem > and address it.For those of you who are interested, the upstream bug is https://bugzilla.redhat.com/show_bug.cgi?id=537535 Please comment as appropriate. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell