From kae at verens.com Mon Oct 13 13:59:31 2008 From: kae at verens.com (Kae Verens) Date: Mon, 13 Oct 2008 14:59:31 +0100 Subject: [Fedora-php-devel-list] security bug with how PHP is added as an Apache handler Message-ID: <48F35443.6060804@verens.com> The conf.d/php.conf file attaches .php files to its handler like this: AddHandler php5-script .php however, that allows some hackery. for example, create three files, "test.php", "test.php." and "test.php.blahblah". in each, place " SetHandler php5-script | kae From jorton at redhat.com Mon Oct 13 19:10:18 2008 From: jorton at redhat.com (Joe Orton) Date: Mon, 13 Oct 2008 20:10:18 +0100 Subject: [Fedora-php-devel-list] security bug with how PHP is added as an Apache handler In-Reply-To: <48F35443.6060804@verens.com> References: <48F35443.6060804@verens.com> Message-ID: <20081013191018.GA4594@redhat.com> On Mon, Oct 13, 2008 at 02:59:31PM +0100, Kae Verens wrote: > The conf.d/php.conf file attaches .php files to its handler like this: > AddHandler php5-script .php This is a feature, which allows MultiViews to work properly. > This means that a web application which allows people to upload files > (images, for example), but not PHP scripts, can be circumvented by > naming the script somescript.php.notphp and then uploading it. A webapp which: a) allows users to upload files with arbitrary filenames, and b) makes such file immediately publicly-accessible is broken and insecure. Changing the default httpd configuration as you suggest won't make it secure. Regards, Joe From chris.stone at gmail.com Thu Oct 23 18:21:18 2008 From: chris.stone at gmail.com (Christopher Stone) Date: Thu, 23 Oct 2008 11:21:18 -0700 Subject: [Fedora-php-devel-list] php-pear doc files not in %doc? Message-ID: Hi, Should the files in the php-pear package which are packaged under /usr/share/pear/doc be placed under %doc instead? -------------- next part -------------- An HTML attachment was scrubbed... URL: