[php-maint] Bug#674205: Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation

Ondřej Surý ondrej at debian.org
Mon Aug 6 10:49:04 UTC 2012

You forgot to cc control at bugs.debian.org which is in fact a good
thing, because this is by no means a critical bug.

The issue is only in the README file which also clearly states
(together with hint to use php5-fpm):

  In 99% of cases, what you probably want isn't php5-cgi package at
  all, but rather the libapache2-mod-php5 package, which will
  configure itself on installation and Just Work(tm). If, however, you
  have a need to use the CGI version of PHP 5 with Apache HTTP Server,
  the following should help get you going, ***though there are dozens of
  different ways to do this.***


On Wed, Aug 1, 2012 at 2:08 AM, Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
> I guess both, CGI and mod_php are affected by this but I haven't checked
> for the later, as it's security-wise... "problematic", which is why I
> never use it.

If you want to report a bug, you probably should at least check the
parts your report is about. And no, mod_php is not affected.

> See the aforementioned bug for what I suggest to do now.
> Basically:
> 1) Add a NEWS item entry, that these mime types were removed
> from /etc/mime.types and what this could mean.
> Possibly linking to the above bug.

Release notes addressed from mime-support is fine.

> 2) Add documentation for the end-users, how they should (safely) enable
> PHP.
> For CGI this would be the above (with a corrected mistake):
> -------------------------------------------------------
> #Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
> RemoveType php

I am not going to add this.  If you have a previous mapping somewhere
else, it's your problem.

> <Files ?*.php>
>         AddType application/x-php php
> </Files>

This is a good idea.

> ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
> Action application/x-php /cgi-bin/php5-cgi
> -------------------------------------------------------
> plus the note, that one SHOULD limit AT LEAST the ScriptAlias and
> Actionto _only_ such <Directory> blocks, where php files to be
> interpreted reside.

Again this is just a quick&dirty README and not PHP manual, but I have
added a reference to CGI Security section in PHP manual.

Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list