On Mon, Oct 13, 2008 at 5:15 AM, Kae Verens <kae@xxxxxxxxxxx> wrote: > Morning all, > first post from myself. > > If you have PHP, Perl or plain old CGI installed, and set up Apache to > recognise these files with the extensions '.php', '.pl' or '.cgi', Apache > will recognise the files even if the filename has a '.' at the end. > > For example, 'test.php.' will be run as if it is a PHP file. > > This causes some developers to unwittingly create insecure programs. for > example, if you have a program which allows a user to rename a file, but > bans server-executable extensions such as '.php', '.cgi', etc, the > programmer would not automatically realise that the user can get around that > by placing a '.' at the end. > > I'd like to know is that a bug in Apache? This is the MultiViews feature http://httpd.apache.org/docs/2.2/content-negotiation.html -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|