-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The folks at Drupal have apparently just discovered that something.php.bar is executed as PHP, and, thus, checking to see if a file ends with .php is not sufficient to ensure that their file upload feature can't be exploited.
In fact, they have a whitelist, and check to see the files end only with stuff on the whitelist, so it's a little more robust than that, but still fairly easy to get around. I've been asked to pass on a request for a configuration directive to disable the support for multiple file extensions - that is, ensure that only the final file extension is honored when determining how to handle a file. I haven't thought though all the implications of such a directive, nor do I know how feasible it is. But I've passed on the request. - --Rich -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEdlUdXP03+sx4yJMRAoNjAJ4u5ZWisCH/tvp815nDWV5nsVlN8QCfdFC1 xObWe9eolhXx0ila5ucjfOY= =OlDX -----END PGP SIGNATURE-----
