Re: Why PHP is parsing not only .php
Chris Francy [EMAIL PROTECTED] writes: You should probably be using the phps extension with the AddType application/x-httpd-php-source .phps instead of renameing them to have a .txt extension. That's exactly what I do, using a symlink. So my progs are available as progs and as source files. But you can symlink to a .txt file too, removing any other extensions. -- AMAZING BUT TRUE ... If all the salmon caught in Canada in one year were laid end to end across the Sahara Desert, the smell would be absolutely awful. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why PHP is parsing not only .php
Chris Francy [EMAIL PROTECTED] writes: You should probably be using the phps extension with the AddType application/x-httpd-php-source .phps instead of renameing them to have a .txt extension. That's exactly what I do, using a symlink. So my progs are available as progs and as source files. But you can symlink to a .txt file too, removing any other extensions. -- AMAZING BUT TRUE ... If all the salmon caught in Canada in one year were laid end to end across the Sahara Desert, the smell would be absolutely awful. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: Why PHP is parsing not only .php
On Thu, 2003-04-03 at 12:43, Yoss wrote: Why PHP is parsing file with .php.txt extension? I think that is a security hole, because in easy way we can imagine that thereis php script that should allow to upload only .txt files. 99% of coders will check this with /.+?\.txt$/ because this is logic, that php script is everything what ends with .php. Is there any way to prevent such a situation that not only /.+?\.php/ is parsed by PHP? If you need any additional informations (config files, or something) let me know, I will send it with pleasure. Did you enable content negotiation ?? If yes, then that is likely to cause your problem. -- Tot ziens, Bart-Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why PHP is parsing not only .php
This is expected behaviour... Please see the secion about files with multiple extensions on the page http://httpd.apache.org/docs/mod/mod_mime.html#addencoding --- If more than one extension is given which maps onto the same type of meta-information, then the one to the right will be used. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html. --- You should probably be using the phps extension with the AddType application/x-httpd-php-source .phps instead of renameing them to have a .txt extension. Chris --- Yoss [EMAIL PROTECTED] wrote: Hello. Please, take a look at this: http://www.milc.com.pl/aa.php.txt Why PHP is parsing file with .php.txt extension? I think that is a security hole, because in easy way we can imagine that thereis php script that should allow to upload only .txt files. 99% of coders will check this with /.+?\.txt$/ because this is logic, that php script is everything what ends with .php. Is there any way to prevent such a situation that not only /.+?\.php/ is parsed by PHP? If you need any additional informations (config files, or something) let me know, I will send it with pleasure. -- Bart³omiej Butyn aka Yoss Nie ma tego z³ego co by na gorsze nie wysz³o. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [despammed] Re: Why PHP is parsing not only .php
Thursday, April 3, 2003, 1:44:09 PM, Chris Francy (Chris) wrote: Chris This is expected behaviour... Please see the secion about files with Chris multiple extensions on the page Chris http://httpd.apache.org/docs/mod/mod_mime.html#addencoding Chris --- Chris If more than one extension is given which maps onto the same type of Chris meta-information, then the one to the right will be used. For example, Chris if .gif maps to the MIME-type image/gif and .html maps to the Chris MIME-type text/html, then the file welcome.gif.html will be associated Chris with the MIME-type text/html. Chris --- Wouldn't that mean php would NOT parse the file, since it ends in .txt? -- | Eddie J Schwartz [EMAIL PROTECTED]|m00.net] | | AIM: Uncaring Eyes ICQ: 35576339 YHOO: edmcman2 | | We Trills have an expression -- at forty, you| | think you know everything. At four hundred you| | realize you know nothing. - Dax, Startrek DS9| -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Why PHP is parsing not only .php
On Thu, 2003-04-03 at 12:43, Yoss wrote: Why PHP is parsing file with .php.txt extension? I think that is a security hole, because in easy way we can imagine that thereis php script that should allow to upload only .txt files. 99% of coders will check this with /.+?\.txt$/ because this is logic, that php script is everything what ends with .php. Is there any way to prevent such a situation that not only /.+?\.php/ is parsed by PHP? If you need any additional informations (config files, or something) let me know, I will send it with pleasure. Did you enable content negotiation ?? If yes, then that is likely to cause your problem. -- Tot ziens, Bart-Jan
Re: Why PHP is parsing not only .php
This is expected behaviour... Please see the secion about files with multiple extensions on the page http://httpd.apache.org/docs/mod/mod_mime.html#addencoding --- If more than one extension is given which maps onto the same type of meta-information, then the one to the right will be used. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html. --- You should probably be using the phps extension with the AddType application/x-httpd-php-source .phps instead of renameing them to have a .txt extension. Chris --- Yoss [EMAIL PROTECTED] wrote: Hello. Please, take a look at this: http://www.milc.com.pl/aa.php.txt Why PHP is parsing file with .php.txt extension? I think that is a security hole, because in easy way we can imagine that thereis php script that should allow to upload only .txt files. 99% of coders will check this with /.+?\.txt$/ because this is logic, that php script is everything what ends with .php. Is there any way to prevent such a situation that not only /.+?\.php/ is parsed by PHP? If you need any additional informations (config files, or something) let me know, I will send it with pleasure. -- Bart³omiej Butyn aka Yoss Nie ma tego z³ego co by na gorsze nie wysz³o. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [despammed] Re: Why PHP is parsing not only .php
Thursday, April 3, 2003, 1:44:09 PM, Chris Francy (Chris) wrote: Chris This is expected behaviour... Please see the secion about files with Chris multiple extensions on the page Chris http://httpd.apache.org/docs/mod/mod_mime.html#addencoding Chris --- Chris If more than one extension is given which maps onto the same type of Chris meta-information, then the one to the right will be used. For example, Chris if .gif maps to the MIME-type image/gif and .html maps to the Chris MIME-type text/html, then the file welcome.gif.html will be associated Chris with the MIME-type text/html. Chris --- Wouldn't that mean php would NOT parse the file, since it ends in .txt? -- | Eddie J Schwartz [EMAIL PROTECTED]|m00.net] | | AIM: Uncaring Eyes ICQ: 35576339 YHOO: edmcman2 | | We Trills have an expression -- at forty, you| | think you know everything. At four hundred you| | realize you know nothing. - Dax, Startrek DS9| --