On Mon, Aug 20, 2012 at 03:12:14PM +0100, Steven Chamberlain wrote: > On 20/08/12 14:35, Wouter Verhelst wrote: > > On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote: > >> Yes it's possible some people rely on that behaviour, e.g. serving JPEG > >> data from PHP scripts named like foo.php.jpeg. > > Sorry, I was wrong. For extensions like .jpeg with a known MIME type it > does not work. So, people are unlikely to be relying on this effect. > > http://lists.debian.org/caljhhg8dd+nv2uvgjbvrtubdna3m+o1afo0bqylyfpqkhuj...@mail.gmail.com > > > >> But some sites accept file uploads with arbitrary names, [...] > > > > Don't Do That Then(TM). > > Yes I very much agree... > > > [...] write your upload scripts so that they > > - Store uploads in a directory which is served by the webserver, but > > without allowing any kind of script execution (i.e., "Options > > -ExecCGI" and similar things for other scripting environments and/or > > webservers) > > I believe -ExecCGI would work for php5-cgi but not for > libapache2-mod-php5 (whose handler relies on MIME types).
I did say "and similar things for other scripting environments" for a reason... > To protect against that, I notice our drupal6 packages create an .htaccess > file in the file uploads directory, with: > > > SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 Yes. This is exactly what I described above: make sure the uploads are in a directory that disallows any kind of script execution. -- The volume of a pizza of thickness a and radius z can be described by the following formula: pi zz a -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120821090717.gb6...@grep.be
