Received: (qmail 80241 invoked by uid 501); 18 Feb 2002 16:04:25 -0000 Message-Id: <20020218160425.80240.qmail@apache.org> Date: 18 Feb 2002 16:04:25 -0000 From: Ivan Kartik Reply-To: ika@vision.sk To: submit@bugz.apache.org Subject: AddType application/x-httpd-php .php .php3 etc. etc. problem (probably conf parsing problem) X-Send-Pr-Version: 3.110 >Number: 9861 >Category: config >Synopsis: AddType application/x-httpd-php .php .php3 etc. etc. problem (probably conf parsing problem) >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Feb 18 08:10:00 PST 2002 >Closed-Date: >Last-Modified: >Originator: ika@vision.sk >Release: 1.3.23 >Organization: apache >Environment: Redhat Linux 7.2 gcc-3.0.1 Linux breathe 2.4.9-21smp #1 SMP Thu Jan 17 14:01:48 EST 2002 i686 unknown Apache is not chroot-ed >Description: At first, i am sorry for my english. PROBLEM: Most free e-mail servers (which using PHP) could be vurnealble if user send an email with attachement for example test.php.php3. Problem is if e-mail browser application detect php or php3 (and others) name (mostly just a extension) of that file is replaced by e-mail browser application, for exemple: test.php.#php3 but if directive AddType application/x-httpd-php (in httpd.conf) contains multiple extensions PHP is still executable by PHP parser. >How-To-Repeat: Just a make file test.php._php3 or ....php.#php3 . But test.php.php3_ is not parsed. Probably problem in Apache config parser (reader). This problem can be solved when directive AddType application/x-httpd-php contains only one extension behind. For example: AddType application/x-httpd-php .php3 AddType application/x-httpd-php .php Most documentations (PHP) recommending multiple extensions in one line. >Fix: >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]