[php-maint] Bug#589384: libapache2-mod-php5: Even with new SetHandler config, php is still activated because of mime type
Stefan Fritsch
sf at debian.org
Sat Jul 17 08:41:12 UTC 2010
Package: libapache2-mod-php5
Version: 5.2.11.dfsg.1-2
Severity: normal
Even with the new
<FilesMatch "\.ph(p3?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
config, Files named blah.php.blubb are still executed as php scripts because
they are assigned the type application/x-httpd-php in /etc/mime.types and
mod_php will execute all files of this type. This can of course be a security
problem for sites that accept uploaded files.
There are two possible remedies:
- Remove all relevant types from /etc/mime.types
- Add
RemoveType php phtml pht phps php3 php3p php4 php5
to php5.conf
I am slightly in favor of the RemoveType solution (together with a comment
explaining the why). Changes to /etc/mime.types may easily be refused
on upgrade by the user (I expect the diff to be rather large).
If you think the correct fix would be to change /etc/mime.types, feel free
to reassign the bug.
NB: RemoveType works for types loaded from mime.types only since apache2
2.2.14-2 (or upstream version 2.2.15).
More information about the pkg-php-maint
mailing list