[nycphp-talk] not including '.php' in URI
Kenneth Dombrowski
kenneth at ylayali.net
Tue Mar 21 17:26:20 EST 2006
On 06-03-21 17:18 -0500, Kenneth Dombrowski wrote:
> On 06-03-21 13:48 -0800, inforequest wrote:
> > Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use|
> > wrote:
> > >well, I'm not sure what Dan was thinking, but my first reaction to
> > >"parse every file as php" was to think of an image containing the string
> > >'<?', text files containing sample code, etc, and then the obvious
> > >implications of accepting any content files from third parties anywhere.
> > >The only way I know of to convince apache to do that is ForceType, which
> > >could be safe if it was deployed carefully, sure, but I agree it would
> > >introduce a risk. I also think it's a really ugly way to do it, whether
> > >there's a security risk or not (and I'm pretty sure nobody said they
> > >were doing it that way anyway), but that's a matter of opinion
> > >
> > Thanks kenneth but can you elaborate a bit on this part? What is the
> > ugly part... and what is unsafe about using ForceType? Thanks.
> >
>
> Well, the ugliness is my totally subjective response to the idea of
> ForceType in the first place
>
> http://httpd.apache.org/docs/2.0/mod/core.html#forcetype
>
Actually, now that I read the link I looked up for you, I see there is
also DefaultType, which respects the other types apache knows about.
That looks a lot better, but you still have to be careful that apache
knows about everything found in your DocumentRoot.
More information about the talk
mailing list
Automatic Email Organization without missing anything!