> a recent post on bugtraq hilighted an issue with how upstream has > configured apache to invoke php, namely using addhandler, which has the > behavior of matching the extension anywhere in the file. this means > that foo.php.jpg will be run as php. where this becomes an issue is web > apps that allow uploads into the webspace for images, pdfs, etc. if the > app assumes that anything.jpg is safe, this addhandler feature will > surprise it. Hi Joe, Are you sure this is limited to just CentOS? I've seen that config used before on other distro's apache configs. >From the Apache 2.x Docs: --- Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being by the module associated with the handler. For example, if the .imap extension is mapped to the handler imap-file (from mod_imap) and the .html extension is mapped to the MIME-type text/html, then the file world.imap.html will be associated with both the imap-file handler and text/html MIME-type. When it is processed, the imap-file handler will be used, and so it will be treated as a mod_imap imagemap file. --- So if example.php.gif is read by apache, the AddHandler for php5-script (mod_php) will take precedence over the mime-type handler for .gif (image/gif) and the file will be treated as a php script. >From that it almost sounds like it's not a bug, just apache's own rules of precedence for handling files that match multiple extensions/mime-types. -- Drew "Nothing in life is to be feared. It is only to be understood." --Marie Curie