Di Sep 5 01:19:03 CEST 2006

apache AddHandler multiple extensions

I stumbled upon an odd behaviour of Apache today: Apache2 (I did not check Apache1.3.x but I'm quite sure it will handle it the same way) thanks to mod_mime defines 'extensions' as 'one extension of many'. That's why the AddHandler-Directive treats a given extension as a string which has to exist anywhere(!) in the filename. So for example

AddHandler cgi-script wurst
Will handle all files matching /^.*\.wurst.*$/i. At first I thought I had to have made some errors in the configuration but a quick look at a fresh apache2 installation differed in no way of handling the file extensions. A deeper search in Apache's Buglyzilla led to Bug #10768 which has been marked invalid as this is a feature, not a bug. Quote:
An "extension" in apache is any period-delimited part of the filename after the first period. So in one.two.three.four, all of two, three and four are extensions.
That's of course a whole other thing than I would usually think of, for example wikipedia says:
A filename extension is an extra set of (usually) alphanumeric characters that is appended to the end of a filename

That's why if you have defined a filetype being handled via AddHandler then you better be sure to check uploaded files not only for valid extensions but their whole name for possible dots. Can't wait to check for php-applications only checking uploads for file-ending matching «.php»..

A workaround for only matching file extensions (as in 'ending') is to comment out that AddHandler line and replacing it with:

<Files ~ "\.cgi$">
   SetHandler cgi-script
( this will surely boost performance to the max .. )

Posted by iso | Permanent Link | Tags: php, security, annoyance, linux | comments >>