Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#11122 closed defect (bug) (fixed)

Sanitize filenames with multiple extensions

Reported by: ryan's profile ryan Owned by: ryan's profile ryan
Milestone: 2.8.6 Priority: normal
Severity: normal Version: 2.8.5
Component: Security Keywords: health-check
Focuses: Cc:

Description

Some apache setups will serve foo.php.jpg as a php file. Thwart this by munging intermediate extensions.

Attachments (1)

11122.diff (3.3 KB) - added by ryan 15 years ago.

Download all attachments as: .zip

Change History (9)

@ryan
15 years ago

#1 @westi
15 years ago

  • Keywords health-check added

Intriguing behaviour as really only the last part after the last dot is the extension IMHO

should we not just replace all dots bar the last one in the filename?

#2 @ryan
15 years ago

I'd rather not munge .tar.gz, for example.

#3 @ryan
15 years ago

The patch turns .php.jpg into .php_.jpg. .php.jpg.jpg into .php_.jpg.jpg. Anything that looks like an extension (a dot followed by [a-zA-Z]{2,5}\d?) that is not in the whitelist is munged by appending an underscore.

#4 @ryan
15 years ago

(In [12165]) Sanitize filenames with multiple extensions. see #11122

#5 @ryan
15 years ago

(In [12166]) Sanitize filenames with multiple extensions. see #11122

#6 @ryan
15 years ago

  • Milestone changed from 2.9 to 2.8.6

#7 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

#8 @Otto42
15 years ago

Better fix for people with vulnerable hosts. Add this to the top of the root .htaccess file:

RemoveHandler application/x-httpd-php .php
<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source
</FilesMatch>

This will remove the problem. Verified on a vulnerable shared web host (which shall remain nameless for now).

Tip that we should tell all web hosts: Don't use AddHandler.

This (or similar) is the vulnerability:

AddHandler application/x-httpd-php .php

This is the correct way to do it:

<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source
</FilesMatch>

Reference step 15 of the install instructions here:
http://php.net/manual/en/install.unix.apache2.php

Note: See TracTickets for help on using tickets.