I just uploaded a test site to local apache and got "500 Internal Server Error" while loading static file "http://localhost/js/bootstrap-datepicker.pl.js". (pl as a language code) The file was wrongly parsed/executed by the server as a perl script. The only way to fix this was to comment: # AddHandler cgi-script .cgi .pl or remove .pl as it was wrongly matched with ".pl.js" file Using Apache (lampp) on Arch
The same with cgi: http://localhost/test.cgi.txt < is executed https://download.dlk.pl/screenshots/2017-04-12-16-01-51-3WQ0LHmgVlXFAUum.png http://localhost/test.cg.txt < is not https://download.dlk.pl/screenshots/2017-04-12-16-02-07-1hU3ISTtHXMPTHuZ.png
This is simply how mimetype mapping works in Apache, all extensions are considered.
So you can upload a .txt or .jpg file like "test.pl.jpg" and it will be executed on the server?
(In reply to kolorafa from comment #3) > So you can upload a .txt or .jpg file like "test.pl.jpg" and it will be > executed on the server? Yes, if you can write to a directory where the server is configured to execute CGI by filename, and you get to choose the filename, it will be executed.
OK, I did have ExecCGI enabled on this directory. I disabled the ExecCGI. Now when i want to download a /js/bootstrap-datepicker.pl.js file i get Error 403, how can i access/download the file?
So what can i do in case of: - i want to leave the name as it's an external package - i don't want or can't modify "AddHandler cgi-script .cgi .pl" as for example it's an external server - i would like to be abble to execute script.pl in this folder Even if mime match all extensions it should priority last valid one, or maybe there is some setting. This problem doesn't exists with for example php. (No to mention if someone is using cgi app, and allow to upload file with original file names - that's as for me is a security bug) I don't want to be rude, but I love apache web server, and that's why .....