double-extensions in apache?

Joseph Sinclair plug-discussion at stcaz.net
Sun Mar 20 01:11:08 MST 2011


Apache and other web servers are required to send the MIME type of any data in a response.
There's really no such thing as a file in HTTP, only data streams and MIME boundaries, so that MIME type is pretty important.
How else, in a general and cross-platform way, are the web servers to figure that out other than looking at the file extension?
Also, the cascading file type approach is there because website builders (mostly Microsoft's frontpage abomination and similar garbage) have been known to throw
all kinds of extra file extensions on content that's imported (like taking image.png and saving it as image.png.bmp).
Sometimes there is filesystem metadata and sometimes not, but none of that is cross-platform and even when it's available it isn't always populated.
Webservers may use it if it's present, but they always have to fallback to extension matching.

It's not ideal, but it's what the developers of the Apache webserver have to do to make it work for a wide audience (one of the downsides of being, by a huge margin, the most widely used web server on the net)

There are tools to check your site and ensure everything is clean with extensions, metadata, etc...  Those should be used by everyone developing a website.
There are also settings to disable content-type-determination on uploads, and those should ALWAYS be enabled.
It's OK to guess the content type of a file in the filesystem, but an HTTP PUT request is supposed to *tell* you the mime type, and if it doesn't then the sender simply cannot be trusted to put content to your site.

Just my thoughts on the matter.

==Joseph++

On 03/20/2011 12:21 AM, der.hans wrote:
> moin moin,
> 
> "When web servers such as Apache decide how to process a URL request, they
> use the file extension. If the extension is not recognized, Apache skips
> that extension and uses the previous file extension. For example, if the
> file being requested is exploit.php.pps, and Apache does not recognize the
> '.pps' extension, it treats the file as PHP and executes it."
> 
> http://api.drupal.org/api/drupal/includes--file.inc/function/file_munge_filename/6
> 
> That absolutely doesn't make sense to me. It seems foolish to reinterpret
> what the content-type is.
> 
> Apache ( and other web-servers ) shouldn't be making wild guesses about
> content-types.
> 
> http://www.ruby-forum.com/topic/185709
> 
> ciao,
> 
> der.hans

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110320/3eb457b3/attachment.pgp>


More information about the PLUG-discuss mailing list