[php-maint] Bug#555606: Rethink mod_php default configuration / disable for userdirs

Stefan Fritsch sf at sfritsch.de
Tue Nov 10 11:59:19 UTC 2009


package: libapache2-mod-php5
severity: wishlist

On Tuesday 10 November 2009, sean finney wrote:
> > > And my personal nitpick; PHP should be off by default so that
> > > php scripts in configured data locations are not executed by
> > > web servers by default. PHP files/dirs in webapp packages
> > > should be whitelisted for execution rather than each webapp
> > > needing to blacklist their configured data locations.
> >
> > 
> > Fine with me. I'm not sure every web server supports such
> > feature, though.
> 
> someone ought to file a wishlist bug against php5.  at the very
>  least there could be a debconf prompt controlling the global
>  status of php, and i think there's a strong case for arguing that
>  apps shouldn't assume that it's on by default.
> 

I would really like to see php being disabled for userdirs by default. 
This currently allows every user to execute code as user www-data.






More information about the pkg-php-maint mailing list