Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#11122 closed defect (bug) (fixed)

Sanitize filenames with multiple extensions

Reported by: ryan Owned by: ryan
Milestone: 2.8.6 Priority: normal
Severity: normal Version: 2.8.5
Component: Security Keywords: health-check
Focuses: Cc:


Some apache setups will serve foo.php.jpg as a php file. Thwart this by munging intermediate extensions.

Attachments (1)

11122.diff (3.3 KB) - added by ryan 4 years ago.

Download all attachments as: .zip

Change History (9)

ryan4 years ago

comment:1 westi4 years ago

  • Keywords health-check added

Intriguing behaviour as really only the last part after the last dot is the extension IMHO

should we not just replace all dots bar the last one in the filename?

comment:2 ryan4 years ago

I'd rather not munge .tar.gz, for example.

comment:3 ryan4 years ago

The patch turns .php.jpg into .php_.jpg. .php.jpg.jpg into .php_.jpg.jpg. Anything that looks like an extension (a dot followed by [a-zA-Z]{2,5}\d?) that is not in the whitelist is munged by appending an underscore.

comment:4 ryan4 years ago

(In [12165]) Sanitize filenames with multiple extensions. see #11122

comment:5 ryan4 years ago

(In [12166]) Sanitize filenames with multiple extensions. see #11122

comment:6 ryan4 years ago

  • Milestone changed from 2.9 to 2.8.6

comment:7 ryan4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

comment:8 Otto424 years ago

Better fix for people with vulnerable hosts. Add this to the top of the root .htaccess file:

RemoveHandler application/x-httpd-php .php
<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source

This will remove the problem. Verified on a vulnerable shared web host (which shall remain nameless for now).

Tip that we should tell all web hosts: Don't use AddHandler.

This (or similar) is the vulnerability:

AddHandler application/x-httpd-php .php

This is the correct way to do it:

<FilesMatch "\.php$|\.php5$|\.php4$|\.php3$|\.phtml$|\.phpt$">
  SetHandler application/x-httpd-php
<FilesMatch "\.phps$">
 SetHandler application/x-httpd-php-source

Reference step 15 of the install instructions here:

Note: See TracTickets for help on using tickets.