iBlog - Ilia Alshanetsky

Entries from August 2010

Quicksearch

Calendar

Syndicate This Blog

Comments

Monday, August 30. 2010

Beware of the default Apache 2 ... Posted by Ilia Alshanetsky in PHP at 14:52

Comments (14)
Trackbacks (0)

Beware of the default Apache 2 config for PHP

About a week ago, I was doing some upgrades on my development machine and came across a rather nasty issue when it comes to how .php(s) files are associated with PHP in Apache. It seems that a number of distros including Gentoo (which is what I was using) are using the following configuration directive to make the PHP module parse PHP files:



<IfModule mod_mime.c>

       AddHandler application/x-httpd-php .php

       AddHandler application/x-httpd-php-source .phps

</IfModule>

The non-obvious problem with the above is that it will allow not only "file.php" to be treated as PHP scripts, but also "file.php.txt", which means that any file containing ".php" in its name, no matter where in the filename, would be treated as a PHP script. This of course creates a rather nasty security hole, since many upload file validation tools, only check the final extension. Consequently allowing the user to by-pass the validation, by simply prefixing another "harmless" extension like .txt, .pdf, etc... to the filename, but still get the code to execute.

To mitigate this problem you should instead use the following configuration, that would only pick-up of files ending with a .php extension.



<IfModule mod_mime.c>

       AddType application/x-httpd-php .php

       AddType application/x-httpd-php-source .phps

</IfModule>

The difference between the two configurations being that the original uses AddHandler (bad) and the latter uses AddType (good).

Friday, August 27. 2010

PHP Excel Extension 0.8.6 Posted by Ilia Alshanetsky in PHP at 07:56

Comments (32)
Trackbacks (0)

PHP Excel Extension 0.8.6

PHP Excel Extension 0.8.6

The 0.8.6 version of the Excel extension was released and is now available for download. This version was updated to contain LibXL 3.0 support which introduces Excel 2007/2010 read/write support, which means that this extension can now read and generate any Excel file. Support for XSLX (2007/2010) format can be enabled by passing "true" as the 3rd parameter to the ExcelBook() construtor.

GitHub: http://github.com/iliaal/php_excel/
Source: http://github.com/downloads/iliaal/php_excel/php-excel-0.8.6.tar.bz2

Wednesday, August 11. 2010

PHP Excel Extension 0.8.5 Posted by Ilia Alshanetsky in PHP at 15:27

Comments (18)
Trackbacks (0)

PHP Excel Extension 0.8.5

The 0.8.5 version of the Excel extension was released and is now available for download, it contains a number of small build fixes, which makes it possible to compile it against all versions of PHP (5.2,5.3,trunk). The Win32 compilation was also fixed and thanks to Kalle, PHP 5.3 win32 binaries are now available for download as well.

GitHub: http://github.com/iliaal/php_excel/
Source: http://github.com/downloads/iliaal/php_excel/php-excel-0.8.5.tar.bz2
Win32 Binaries: http://github.com/downloads/iliaal/php_excel/php-excel-5.3.zip

Sunday, August 1. 2010

PHP Excel Extension Posted by Ilia Alshanetsky in PHP at 14:06

Comments (14)
Trackbacks (0)

PHP Excel Extension

Since I broke my right hand 3 weeks ago while biking, I found myself with a lot of spare time :/. It is amazing just how limited your ability to do things becomes when you can only use one hand. So, to stave off the boredom, I've been slowly toiling away on a PHP Excel extension that I intend to use at work, which I've finally gotten ready for release today.
You can find it on github at: http://github.com/iliaal/php_excel.
Continue reading "PHP Excel Extension"

« previous page (Page 1 of 1, totaling 4 entries) next page »
Frontpage

Guide to PHP Security