Serendipity Forums

Hi,

how does s9 handle double file extensions? E.g. abcfile.php.jpg? I'm asking because of this:

http://wordpress.org/development/2009/1 ... y-release/

Cheers,

Dachs

Hi!

I don't so much follow the WP code changes, do you have specifics about the problem? s9y forbids file extensions of the last part of a file, so "file.php.jpg" would be allowed. In which configuration could this be a problem?

Regards,
Garvin

Hi Garvin,

apparently one of the more common Apache server setups allows/empowers the execution of a file as php through the browser which has the ending .php,jpg (or .php.gif etc.) after it has been uploaded to the server space.

Here's a report written up in German Heise magazine:

http://www.heise.de/newsticker/meldung/ ... 59384.html

It's possible only if someone has upload rights, but I could imagine that a non-experienced blog-owner might just do that with a photo or file sent to him without realizing what he's doing. That's why I asked. As these server configurations apparently are not exactly rare, and as the common blog-owner or webmaster has no way to change those easily, it might be worth looking into.

Cheers,

Dachs

Hi!

Ah. I wasn't aware of that specific Apache setting. Seems stupid to me.

It's an easy patch I just committed, so now also s9y forbidds such files. Thanks for mentioning this!

Regards,
Garvin

Hi Garvin,

you're welcome

Is that patch available somewhere as a single file so I need not do full updates on all sites?

Cheers,

Dachs

Hi!

Sure, updates are always logged in our versioning system:

http://svn.berlios.de/viewvc/serendipity/trunk/

There you can download the most recent version, the code change is here:

http://svn.berlios.de/viewvc/serendipit ... ision=2595

HTH,
Garvin

Thanks!

Cheers,

Dachs