[nycphp-talk] not including '.php' in URI
inforequest
1j0lkq002 at sneakemail.com
Tue Mar 21 16:48:45 EST 2006
Kenneth Dombrowski kenneth-at-ylayali.net |nyphp dev/internal group use|
wrote:
>On 06-03-21 13:55 -0500, Chris Shiflett wrote:
>
>
>>Dan Horning wrote:
>>
>>
>>>it's not a matter of making things faster, b/c it won't, I've
>>>tried, but in actuality you create excessive opportunities for
>>>security breaches, why on earth would you want to make your
>>>life harder.
>>>
>>>
>>Can you substantiate that claim? My web sites don't use file extensions,
>>but I doubt you can convince me that this increases my security risk.
>>
>>
>>
>
>well, I'm not sure what Dan was thinking, but my first reaction to
>"parse every file as php" was to think of an image containing the string
>'<?', text files containing sample code, etc, and then the obvious
>implications of accepting any content files from third parties anywhere.
>The only way I know of to convince apache to do that is ForceType, which
>could be safe if it was deployed carefully, sure, but I agree it would
>introduce a risk. I also think it's a really ugly way to do it, whether
>there's a security risk or not (and I'm pretty sure nobody said they
>were doing it that way anyway), but that's a matter of opinion
>
>
Thanks kenneth but can you elaborate a bit on this part? What is the
ugly part... and what is unsafe about using ForceType? Thanks.
-=john andrews
http://www.seo-fun.com
More information about the talk
mailing list