[nycphp-talk] not including '.php' in URI
Kenneth Dombrowski
kenneth at ylayali.net
Tue Mar 21 17:18:59 EST 2006
On 06-03-21 13:48 -0800, inforequest wrote:
> Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use|
> wrote:
> >well, I'm not sure what Dan was thinking, but my first reaction to
> >"parse every file as php" was to think of an image containing the string
> >'<?', text files containing sample code, etc, and then the obvious
> >implications of accepting any content files from third parties anywhere.
> >The only way I know of to convince apache to do that is ForceType, which
> >could be safe if it was deployed carefully, sure, but I agree it would
> >introduce a risk. I also think it's a really ugly way to do it, whether
> >there's a security risk or not (and I'm pretty sure nobody said they
> >were doing it that way anyway), but that's a matter of opinion
> >
> Thanks kenneth but can you elaborate a bit on this part? What is the
> ugly part... and what is unsafe about using ForceType? Thanks.
>
Well, the ugliness is my totally subjective response to the idea of
ForceType in the first place
http://httpd.apache.org/docs/2.0/mod/core.html#forcetype
What I think the added risk would be, if you were parsing all files as
php, all it takes is the chance that some binary file contained the
string '<?' (or '<?php' if short tags is off) to trigger an error -- not
a very threatening error, but still an error. Taken further, if you
accept any content from third parties, there is the possibility that
they've altered the content to run whatever command they wanted as your
apache user, maybe by putting code in the id3 comment of an mp3 file, or
altering a .gif or .zip file with a hex editor ... right??
unless I'm way off...
More information about the talk
mailing list