Hi,
how does s9 handle double file extensions? E.g. abcfile.php.jpg? I'm asking because of this:
http://wordpress.org/development/2009/1 ... y-release/
Cheers,
Dachs
file extensions
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: file extensions
Hi!
I don't so much follow the WP code changes, do you have specifics about the problem? s9y forbids file extensions of the last part of a file, so "file.php.jpg" would be allowed. In which configuration could this be a problem?
Regards,
Garvin
I don't so much follow the WP code changes, do you have specifics about the problem? s9y forbids file extensions of the last part of a file, so "file.php.jpg" would be allowed. In which configuration could this be a problem?
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: file extensions
Hi Garvin,
apparently one of the more common Apache server setups allows/empowers the execution of a file as php through the browser which has the ending .php,jpg (or .php.gif etc.) after it has been uploaded to the server space.
Here's a report written up in German Heise magazine:
http://www.heise.de/newsticker/meldung/ ... 59384.html
It's possible only if someone has upload rights, but I could imagine that a non-experienced blog-owner might just do that with a photo or file sent to him without realizing what he's doing. That's why I asked. As these server configurations apparently are not exactly rare, and as the common blog-owner or webmaster has no way to change those easily, it might be worth looking into.
Cheers,
Dachs
apparently one of the more common Apache server setups allows/empowers the execution of a file as php through the browser which has the ending .php,jpg (or .php.gif etc.) after it has been uploaded to the server space.
Here's a report written up in German Heise magazine:
http://www.heise.de/newsticker/meldung/ ... 59384.html
It's possible only if someone has upload rights, but I could imagine that a non-experienced blog-owner might just do that with a photo or file sent to him without realizing what he's doing. That's why I asked. As these server configurations apparently are not exactly rare, and as the common blog-owner or webmaster has no way to change those easily, it might be worth looking into.
Cheers,
Dachs
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: file extensions
Hi!
Ah. I wasn't aware of that specific Apache setting. Seems stupid to me.
It's an easy patch I just committed, so now also s9y forbidds such files. Thanks for mentioning this!
Regards,
Garvin
Ah. I wasn't aware of that specific Apache setting. Seems stupid to me.
It's an easy patch I just committed, so now also s9y forbidds such files. Thanks for mentioning this!
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: file extensions
Hi Garvin,
you're welcome
Is that patch available somewhere as a single file so I need not do full updates on all sites?
Cheers,
Dachs
you're welcome
Is that patch available somewhere as a single file so I need not do full updates on all sites?
Cheers,
Dachs
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: file extensions
Hi!
Sure, updates are always logged in our versioning system:
http://svn.berlios.de/viewvc/serendipity/trunk/
There you can download the most recent version, the code change is here:
http://svn.berlios.de/viewvc/serendipit ... ision=2595
HTH,
Garvin
Sure, updates are always logged in our versioning system:
http://svn.berlios.de/viewvc/serendipity/trunk/
There you can download the most recent version, the code change is here:
http://svn.berlios.de/viewvc/serendipit ... ision=2595
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: file extensions
Thanks!
Cheers,
Dachs
Cheers,
Dachs