Sanitize filenames with multiple extensions

[ryan]

Some apache setups will serve foo.php.jpg as a php file. Thwart this by munging intermediate extensions.

Intriguing behaviour as really only the last part after the last dot is the extension IMHO

should we not just replace all dots bar the last one in the filename?

I'd rather not munge .tar.gz, for example.

The patch turns .php.jpg into .php_.jpg. .php.jpg.jpg into .php_.jpg.jpg. Anything that looks like an extension (a dot followed by [a-zA-Z]{2,5}\d?) that is not in the whitelist is munged by appending an underscore.

(In [12165]) Sanitize filenames with multiple extensions. see #11122

(In [12166]) Sanitize filenames with multiple extensions. see #11122

Better fix for people with vulnerable hosts. Add this to the top of the root .htaccess file:

RemoveHandler application/x-httpd-php .php
<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source
</FilesMatch>

This will remove the problem. Verified on a vulnerable shared web host (which shall remain nameless for now).

Tip that we should tell all web hosts: Don't use AddHandler.

This (or similar) is the vulnerability:

AddHandler application/x-httpd-php .php

This is the correct way to do it:

<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source
</FilesMatch>

Reference step 15 of the install instructions here:  http://php.net/manual/en/install.unix.apache2.php