Bug 60976

Summary: AddHandler cgi-script .pl - something.pl.js files are executed
Product: Apache httpd-2 Reporter: kolorafa <apache_org>
Component: mod_mimeAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: REOPENED ---    
Severity: normal    
Priority: P2    
Version: 2.4.23   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description kolorafa 2017-04-12 13:53:41 UTC
I just uploaded a test site to local apache and got "500 Internal Server Error" while loading static file "http://localhost/js/bootstrap-datepicker.pl.js". (pl as a language code)

The file was wrongly parsed/executed by the server as a perl script.

The only way to fix this was to comment:
# AddHandler cgi-script .cgi .pl

or remove .pl as it was wrongly matched with ".pl.js" file

Using Apache (lampp) on Arch
Comment 2 Eric Covener 2017-04-12 14:03:24 UTC
This is simply how mimetype mapping works in Apache, all extensions are considered.
Comment 3 kolorafa 2017-04-12 14:06:13 UTC
So you can upload a .txt or .jpg file like "test.pl.jpg" and it will be executed on the server?
Comment 4 Eric Covener 2017-04-12 14:11:59 UTC
(In reply to kolorafa from comment #3)
> So you can upload a .txt or .jpg file like "test.pl.jpg" and it will be
> executed on the server?

Yes, if you can write to a directory where the server is configured to execute CGI by filename, and you get to choose the filename, it will be executed.
Comment 5 kolorafa 2017-04-12 14:21:42 UTC
OK, I did have ExecCGI enabled on this directory.

I disabled the ExecCGI.

Now when i want to download a /js/bootstrap-datepicker.pl.js file i get Error 403, how can i access/download the file?
Comment 6 kolorafa 2017-04-12 14:34:15 UTC
So what can i do in case of:
- i want to leave the name as it's an external package
- i don't want or can't modify "AddHandler cgi-script .cgi .pl" as for example it's an external server
- i would like to be abble to execute script.pl in this folder

Even if mime match all extensions it should priority last valid one, or maybe there is some setting.

This problem doesn't exists with for example php.

(No to mention if someone is using cgi app, and allow to upload file with original file names - that's as for me is a security bug)

I don't want to be rude, but I love apache web server, and that's why .....