NYCPHP Meetup

NYPHP.org

[nycphp-talk] not including '.php' in URI

inforequest 1j0lkq002 at sneakemail.com
Tue Mar 21 16:48:45 EST 2006


Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use| 
wrote:

>On 06-03-21 13:55 -0500, Chris Shiflett wrote:
>  
>
>>Dan Horning wrote:
>>    
>>
>>>it's not a matter of making things faster, b/c it won't, I've
>>>tried, but in actuality you create excessive opportunities for
>>>security breaches, why on earth would you want to make your
>>>life harder.
>>>      
>>>
>>Can you substantiate that claim? My web sites don't use file extensions, 
>>but I doubt you can convince me that this increases my security risk.
>>
>>    
>>
>
>well, I'm not sure what Dan was thinking, but my first reaction to
>"parse every file as php" was to think of an image containing the string
>'<?', text files containing sample code, etc, and then the obvious
>implications of accepting any content files from third parties anywhere.
>The only way I know of to convince apache to do that is ForceType, which
>could be safe if it was deployed carefully, sure, but I agree it would
>introduce a risk.  I also think it's a really ugly way to do it, whether
>there's a security risk or not (and I'm pretty sure nobody said they
>were doing it that way anyway), but that's a matter of opinion
>  
>



Thanks kenneth but can you elaborate a bit on this part? What is the 
ugly part... and what is unsafe about using ForceType? Thanks.


-=john andrews
http://www.seo-fun.com




More information about the talk mailing list