WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#11122 closed defect (bug) (fixed)

Sanitize filenames with multiple extensions

Reported by: ryan Owned by: ryan
Milestone: 2.8.6 Priority: normal
Severity: normal Version: 2.8.5
Component: Security Keywords: health-check
Focuses: Cc:

Description

Some apache setups will serve foo.php.jpg as a php file. Thwart this by munging intermediate extensions.

Attachments (1)

11122.diff (3.3 KB) - added by ryan 7 years ago.

Download all attachments as: .zip

Change History (9)

@ryan
7 years ago

#1 @westi
7 years ago

  • Keywords health-check added

Intriguing behaviour as really only the last part after the last dot is the extension IMHO

should we not just replace all dots bar the last one in the filename?

#2 @ryan
7 years ago

I'd rather not munge .tar.gz, for example.

#3 @ryan
7 years ago

The patch turns .php.jpg into .php_.jpg. .php.jpg.jpg into .php_.jpg.jpg. Anything that looks like an extension (a dot followed by [a-zA-Z]{2,5}\d?) that is not in the whitelist is munged by appending an underscore.

#4 @ryan
7 years ago

(In [12165]) Sanitize filenames with multiple extensions. see #11122

#5 @ryan
7 years ago

(In [12166]) Sanitize filenames with multiple extensions. see #11122

#6 @ryan
7 years ago

  • Milestone changed from 2.9 to 2.8.6

#7 @ryan
7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

#8 @Otto42
7 years ago

Better fix for people with vulnerable hosts. Add this to the top of the root .htaccess file:

RemoveHandler application/x-httpd-php .php
<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source
</FilesMatch>

This will remove the problem. Verified on a vulnerable shared web host (which shall remain nameless for now).

Tip that we should tell all web hosts: Don't use AddHandler.

This (or similar) is the vulnerability:

AddHandler application/x-httpd-php .php

This is the correct way to do it:

<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source
</FilesMatch>

Reference step 15 of the install instructions here:
http://php.net/manual/en/install.unix.apache2.php

Note: See TracTickets for help on using tickets.