Mailing List Archive: Apache: Users

files ending with '.' treated as if the '.' is not there

Index | Next | Previous | View Threaded

kae at webworks

Oct 13, 2008, 2:15 AM

Post #1 of 7 (140 views)
Permalink

files ending with '.' treated as if the '.' is not there

Morning all,
first post from myself.

If you have PHP, Perl or plain old CGI installed, and set up Apache to
recognise these files with the extensions '.php', '.pl' or '.cgi',
Apache will recognise the files even if the filename has a '.' at the end.

For example, 'test.php.' will be run as if it is a PHP file.

This causes some developers to unwittingly create insecure programs. for
example, if you have a program which allows a user to rename a file, but
bans server-executable extensions such as '.php', '.cgi', etc, the
programmer would not automatically realise that the user can get around
that by placing a '.' at the end.

I'd like to know is that a bug in Apache?

kae

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

covener at gmail

Oct 13, 2008, 4:18 AM

Post #2 of 7 (135 views)
Permalink

Re: files ending with '.' treated as if the '.' is not there [In reply to]

On Mon, Oct 13, 2008 at 5:15 AM, Kae Verens <kae[at]webworks.ie> wrote:
> Morning all,
> first post from myself.
>
> If you have PHP, Perl or plain old CGI installed, and set up Apache to
> recognise these files with the extensions '.php', '.pl' or '.cgi', Apache
> will recognise the files even if the filename has a '.' at the end.
>
> For example, 'test.php.' will be run as if it is a PHP file.
>
> This causes some developers to unwittingly create insecure programs. for
> example, if you have a program which allows a user to rename a file, but
> bans server-executable extensions such as '.php', '.cgi', etc, the
> programmer would not automatically realise that the user can get around that
> by placing a '.' at the end.
>
> I'd like to know is that a bug in Apache?

This is the MultiViews feature
http://httpd.apache.org/docs/2.2/content-negotiation.html

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

kae at webworks

Oct 13, 2008, 4:38 AM

Post #3 of 7 (134 views)
Permalink

Re: files ending with '.' treated as if the '.' is not there [In reply to]

Eric Covener wrote:
> On Mon, Oct 13, 2008 at 5:15 AM, Kae Verens <kae[at]webworks.ie> wrote:
>
>> Morning all,
>> first post from myself.
>>
>> If you have PHP, Perl or plain old CGI installed, and set up Apache to
>> recognise these files with the extensions '.php', '.pl' or '.cgi', Apache
>> will recognise the files even if the filename has a '.' at the end.
>>
>> For example, 'test.php.' will be run as if it is a PHP file.
>>
> This is the MultiViews feature
> http://httpd.apache.org/docs/2.2/content-negotiation.html
>
I don't have MultiViews enabled. In fact, to be sure, I specifically
disabled it. that thought did occur to me, though.

I haven't coded in C/C++ in over 10 years, but I'll try did through the
httpd source to see if I can spot the cause.

kae

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

kae at webworks

Oct 13, 2008, 4:58 AM

Post #4 of 7 (134 views)
Permalink

Re: files ending with '.' treated as if the '.' is not there [In reply to]

Kae Verens wrote:
>>> For example, 'test.php.' will be run as if it is a PHP file.
> I don't have MultiViews enabled. In fact, to be sure, I specifically
> disabled it. that thought did occur to me, though.
>
> I haven't coded in C/C++ in over 10 years, but I'll try did through
> the httpd source to see if I can spot the cause.

the problem appears to be that the dot at the end is ignored.

in http/mod_mime.c, the extension is grabbed by breaking the filename
apart by its '.' symbols and inspecting each part until a known
extension is found. (the find_ct() function).

unfortunately, it ignores empty extensions and extensions it doesn't
understand. This is a more serious problem than I thought.

what it means, is that a file named "test.php.fdnsafhd" is treated as
PHP because Apache (with PHP installed) understands the '.php'
extension, but not the '.fdnsafhd' one, so it ignores the '.fdnsafhd' one.

kae

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

covener at gmail

Oct 13, 2008, 6:39 AM

Post #5 of 7 (132 views)
Permalink

Re: files ending with '.' treated as if the '.' is not there [In reply to]

On Mon, Oct 13, 2008 at 7:58 AM, Kae Verens <kae[at]webworks.ie> wrote:
> Kae Verens wrote:
>>>>
>>>> For example, 'test.php.' will be run as if it is a PHP file.
>>
>> I don't have MultiViews enabled. In fact, to be sure, I specifically
>> disabled it. that thought did occur to me, though.
>>
>> I haven't coded in C/C++ in over 10 years, but I'll try did through the
>> httpd source to see if I can spot the cause.
>
> the problem appears to be that the dot at the end is ignored.
>
> in http/mod_mime.c, the extension is grabbed by breaking the filename apart
> by its '.' symbols and inspecting each part until a known extension is
> found. (the find_ct() function).
>
> unfortunately, it ignores empty extensions and extensions it doesn't
> understand. This is a more serious problem than I thought.
>
> what it means, is that a file named "test.php.fdnsafhd" is treated as PHP
> because Apache (with PHP installed) understands the '.php' extension, but
> not the '.fdnsafhd' one, so it ignores the '.fdnsafhd' one.

manual for mod_mime describes this interaction between multiple
extensions (all of which are considered) and AddHandler

http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

kae at webworks

Oct 13, 2008, 6:44 AM

Post #6 of 7 (132 views)
Permalink

Re: files ending with '.' treated as if the '.' is not there [In reply to]

Eric Covener wrote:
> manual for mod_mime describes this interaction between multiple
> extensions (all of which are considered) and AddHandler
>
> http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext
>
thanks. that's a good workaround.

kae

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

wrowe at rowe-clan

Oct 13, 2008, 2:33 PM

Post #7 of 7 (119 views)
Permalink

Re: files ending with '.' treated as if the '.' is not there [In reply to]

Kae Verens wrote:
> Eric Covener wrote:
>> On Mon, Oct 13, 2008 at 5:15 AM, Kae Verens <kae[at]webworks.ie> wrote:
>>
>>> Morning all,
>>> first post from myself.
>>>
>>> If you have PHP, Perl or plain old CGI installed, and set up Apache to
>>> recognise these files with the extensions '.php', '.pl' or '.cgi',
>>> Apache
>>> will recognise the files even if the filename has a '.' at the end.
>>>
>>> For example, 'test.php.' will be run as if it is a PHP file.
>>>
>> This is the MultiViews feature
>> http://httpd.apache.org/docs/2.2/content-negotiation.html
>>
> I don't have MultiViews enabled. In fact, to be sure, I specifically
> disabled it. that thought did occur to me, though.
>
> I haven't coded in C/C++ in over 10 years, but I'll try did through the
> httpd source to see if I can spot the cause.

On Windows, using a filename with a trailing real space (asc 32) or period
accesses that file without the space or period. Much like upper/lower case
confusion, httpd normalizes such requested file names to their ACTUAL name
before processing them through mod_mime, etc.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com