PEAK XOOPS - Attempt to multiple dot file対策 in englishin japanese

Attempt to multiple dot file対策

  • You cannot open a new topic into this forum
  • Guests cannot post into this forum
Previous post - Next post | Parent - Children.1 .2 | Posted on 2008/7/24 15:22 | Last modified
tomotomo  Private   Posts: 5
Hi,
I have a question about Protector 3.15

ファイルアップロード時に二重拡張子(eg; data.sample.csv)などをアップロードするとProtectorが強制終了してしまうようです。
ログを確認すると次のメッセージが出てました。

Quote:
UPLOAD Attempt to multiple dot file data.sample.csv

二重拡張子アップロードでエラーが出ないようにするには
[一般設定]の[実行可能ファイルアップロードによる強制終了]を「いいえ」にしないといけないとどこかで読みました。
しかしこれではPHPファイルなどのアップロードがあった場合困ります。

二重拡張子を許可する場合は
XOOPS_TRUST_PATH/modules/protecter/protecter.phpのfunction check_uploaded_files(l.583あたり)の
// anti multiple dot file (Apache mod_mime.c)
if( count( explode( '.' , str_replace( '.tar.gz' , '.tgz' , $_file['name'] ) ) ) > 2 ) {
	$this->message .= "Attempt to multiple dot file {$_file['name']}.\n" ;
	$this->_safe_badext = false ;
	$this->last_error_type = 'UPLOAD' ;
}
をコメントアウトすれば解決できそうなのですが、これによって何らかの良くない影響があると思われますか。
宜しくお願いいたします。

---sorry, I try repost in English
If I upload a Multiple dot file, Protector shuts down.
eg) data.sample.csv
Protector logs shows a message below;
Quote:
UPLOAD Attempt to multiple dot file data.sample.csv

Solving this trouble, I need change "Exit if bad files are uploaded" to "No".
I guess this changing brings on some more trouble.

I'd try to comment out check_uploaded_files(around l.583) in file XOOPS_TRUST_PATH/modules/protecter/protecter.php
// anti multiple dot file (Apache mod_mime.c)
if( count( explode( '.' , str_replace( '.tar.gz' , '.tgz' , $_file['name'] ) ) ) > 2 ) {
	$this->message .= "Attempt to multiple dot file {$_file['name']}.\n" ;
	$this->_safe_badext = false ;
	$this->last_error_type = 'UPLOAD' ;
}

Do you think this changing is not good or brings on some more trouble?
Votes:2 Average:5.00
Previous post - Next post | Parent - No child | Posted on 2008/7/25 4:30
GIJOE  Gunnery Sergeant   Posts: 4110
hi tomotomo.

Do you know foo.php.bar can be parsed as "php"?

Of course, your patch looks OK as long as you avoid modules putting the uploaded file as $_FILES[$n]['name'] under DocumentRoot.
Votes:4 Average:5.00
Previous post - Next post | Parent - Children.1 | Posted on 2008/7/25 7:28
vaughan  Lance Corporal   Posts: 37
why not add

define('PROTECTOR_SKIP_FILESCHECKER', true);
to the beginning of the script file that is giving you these issues. of course you need to trust your users then and not allow anonymous uploads, and storing the files outside of the webroot is a must do..
Votes:0 Average:0.00
Previous post - Next post | Parent - No child | Posted on 2008/8/31 4:27
GIJOE  Gunnery Sergeant   Posts: 4110
hi vaughan.

Quote:

why not add
define('PROTECTOR_SKIP_FILESCHECKER', true);
You are a great user of Protector
Certainly, this is an important constant for modules uploading various files.
eg) some Wikis allow to upload php files as source codes.
Votes:2 Average:5.00

  Advanced search


Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!