NYCPHP Meetup

NYPHP.org

[nycphp-talk] not including '.php' in URI

Kenneth Dombrowski kenneth at ylayali.net
Tue Mar 21 17:26:20 EST 2006


On 06-03-21 17:18 -0500, Kenneth Dombrowski wrote:
> On 06-03-21 13:48 -0800, inforequest wrote:
> > Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use| 
> > wrote:
> > >well, I'm not sure what Dan was thinking, but my first reaction to
> > >"parse every file as php" was to think of an image containing the string
> > >'<?', text files containing sample code, etc, and then the obvious
> > >implications of accepting any content files from third parties anywhere.
> > >The only way I know of to convince apache to do that is ForceType, which
> > >could be safe if it was deployed carefully, sure, but I agree it would
> > >introduce a risk.  I also think it's a really ugly way to do it, whether
> > >there's a security risk or not (and I'm pretty sure nobody said they
> > >were doing it that way anyway), but that's a matter of opinion
> > >  
> > Thanks kenneth but can you elaborate a bit on this part? What is the 
> > ugly part... and what is unsafe about using ForceType? Thanks.
> > 
> 
> Well, the ugliness is my totally subjective response to the idea of
> ForceType in the first place
> 
> http://httpd.apache.org/docs/2.0/mod/core.html#forcetype
> 

Actually, now that I read the link I looked up for you, I see there is
also DefaultType, which respects the other types apache knows about.
That looks a lot better, but you still have to be careful that apache
knows about everything found in your DocumentRoot.





More information about the talk mailing list