[Bug 225105] Re: Mimetypes coming from package mime-support cannot be removed

magkes marcus.krause at tu-clausthal.de
Mon Jun 9 21:12:42 BST 2008 

** Summary changed:

- [Security] Mimetypes coming from package mime-support cannot be removed 
+ Mimetypes coming from package mime-support cannot be removed

** Description changed:

  Hi!
  
  Explanation from httpd.apache.org (http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext):
  Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type  image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html.
  
  On several PHP-based web-applications file(-upload) filtering is based on the last file-extension. If you want to prevent php processing for malicious files one could use a pattern like 
  \.php[45]?$
  
  But as Apache supports "Multiple Extensions", also files like index.php.abc will be handed over to PHP preprocessor. If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, apache suggests to use  "SetHandler".  A PHP solution would be
  <FilesMatch \.php[45]?$>
                  SetHandler application/x-httpd-php
  </FilesMatch>
  
  As apache2.2-common depends on mime-support it is already aware of php
  mime-types. Btw. this makes it totally useless to register these mime-
  types with file php5.conf in package libapache2-mod-php5 again.
  
  Because of the already registered mime types in /etc/mime.types you have to unregister these to only map files based on the last dot-separated part of the filename. To get rid of them you should be able to place
   RemoveHandler .php .php4 .php5 .phps .pht .phtml
   RemoveType .php .php4 .php5 .phps .pht .phtml
  somewhere in apache2.conf or php5.conf. Unfortunately this does not work!! Apache then still knows what do do with index.php.anydamnextension!
  
  I'm unsure what package to blame; "mime-support" for listing php mime
  types or "apache2.2-common" for not being able to unregister them.
- 
- 
- Marcus Krause
- 
- Member TYPO3 Security Team

-- 
Mimetypes coming from package mime-support cannot be removed 
https://bugs.launchpad.net/bugs/225105
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in ubuntu.

More information about the Ubuntu-server-bugs mailing list