[php-maint] Bug#589384: libapache2-mod-php5: Even with new SetHandler config, php is still activated because of mime type

Stefan Fritsch sf at debian.org
Sat Jul 17 08:41:12 UTC 2010


Package: libapache2-mod-php5
Version: 5.2.11.dfsg.1-2
Severity: normal


Even with the new

    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler application/x-httpd-php
    </FilesMatch>

config, Files named blah.php.blubb are still executed as php scripts because
they are assigned the type application/x-httpd-php in /etc/mime.types and
mod_php will execute all files of this type. This can of course be a security
problem for sites that accept uploaded files.

There are two possible remedies:
- Remove all relevant types from /etc/mime.types
- Add
	    RemoveType php phtml pht phps php3 php3p php4 php5
   to php5.conf


I am slightly in favor of the RemoveType solution (together with a comment
explaining the why). Changes to /etc/mime.types may easily be refused
on upgrade by the user (I expect the diff to be rather large).

If you think the correct fix would be to change /etc/mime.types, feel free
to reassign the bug.


NB: RemoveType works for types loaded from mime.types only since apache2
2.2.14-2 (or upstream version 2.2.15).





More information about the pkg-php-maint mailing list