[nycphp-talk] not including '.php' in URI
inforequest
1j0lkq002 at sneakemail.com
Tue Mar 21 17:54:02 EST 2006
Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use|
wrote:
>On 06-03-21 13:48 -0800, inforequest wrote:
>
>
>>Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use|
>>wrote:
>>
>>
>>>well, I'm not sure what Dan was thinking, but my first reaction to
>>>"parse every file as php" was to think of an image containing the string
>>>'<?', text files containing sample code, etc, and then the obvious
>>>implications of accepting any content files from third parties anywhere.
>>>The only way I know of to convince apache to do that is ForceType, which
>>>could be safe if it was deployed carefully, sure, but I agree it would
>>>introduce a risk. I also think it's a really ugly way to do it, whether
>>>there's a security risk or not (and I'm pretty sure nobody said they
>>>were doing it that way anyway), but that's a matter of opinion
>>>
>>>
>>>
>>Thanks kenneth but can you elaborate a bit on this part? What is the
>>ugly part... and what is unsafe about using ForceType? Thanks.
>>
>>
>>
>
>Well, the ugliness is my totally subjective response to the idea of
>ForceType in the first place
>
>http://httpd.apache.org/docs/2.0/mod/core.html#forcetype
>
>What I think the added risk would be, if you were parsing all files as
>php, all it takes is the chance that some binary file contained the
>string '<?' (or '<?php' if short tags is off) to trigger an error -- not
>a very threatening error, but still an error. Taken further, if you
>accept any content from third parties, there is the possibility that
>they've altered the content to run whatever command they wanted as your
>apache user, maybe by putting code in the id3 comment of an mp3 file, or
>altering a .gif or .zip file with a hex editor ... right??
>
>unless I'm way off...
>
>
thanks for clarifying.
Accepting user uploads is an application-specific situation and so needs
to be handled regardless IMHO. Good to be aware that files might be
parsed, just as they may be echoed.
Personally I am fond of explicit declarations in most code, so I would
not normally parse every file, but often parse all .html as php.
I find that for published static websites Forcetype is faster than a PHP
controller, and easy to administer.
-=john andrews
http://www.seo-fun.com
More information about the talk
mailing list