NYCPHP Meetup

NYPHP.org

[nycphp-talk] not including '.php' in URI

inforequest 1j0lkq002 at sneakemail.com
Tue Mar 21 17:54:02 EST 2006 

Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use| 
wrote:

>On 06-03-21 13:48 -0800, inforequest wrote:
>  
>
>>Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use| 
>>wrote:
>>    
>>
>>>well, I'm not sure what Dan was thinking, but my first reaction to
>>>"parse every file as php" was to think of an image containing the string
>>>'<?', text files containing sample code, etc, and then the obvious
>>>implications of accepting any content files from third parties anywhere.
>>>The only way I know of to convince apache to do that is ForceType, which
>>>could be safe if it was deployed carefully, sure, but I agree it would
>>>introduce a risk.  I also think it's a really ugly way to do it, whether
>>>there's a security risk or not (and I'm pretty sure nobody said they
>>>were doing it that way anyway), but that's a matter of opinion
>>> 
>>>      
>>>
>>Thanks kenneth but can you elaborate a bit on this part? What is the 
>>ugly part... and what is unsafe about using ForceType? Thanks.
>>
>>    
>>
>
>Well, the ugliness is my totally subjective response to the idea of
>ForceType in the first place
>
>http://httpd.apache.org/docs/2.0/mod/core.html#forcetype
>
>What I think the added risk would be, if you were parsing all files as
>php, all it takes is the chance that some binary file contained the
>string '<?' (or '<?php' if short tags is off) to trigger an error -- not
>a very threatening error, but still an error.  Taken further, if you
>accept any content from third parties, there is the possibility that
>they've altered the content to run whatever command they wanted as your
>apache user, maybe by putting code in the id3 comment of an mp3 file, or
>altering a .gif or .zip file with a hex editor ... right?? 
>
>unless I'm way off... 
>  
>
thanks for clarifying.

Accepting user uploads is an application-specific situation and so needs 
to be handled regardless IMHO. Good to be aware that files might be 
parsed, just as they may be echoed.

Personally I am fond of explicit declarations in most code, so I would 
not normally parse every file, but often parse all .html as php.

I find that for published static websites Forcetype is faster than a PHP 
controller, and easy to administer.

-=john andrews
http://www.seo-fun.com

More information about the talk mailing list