[php-maint] Bug#674089: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Charles Plessy plessy at debian.org
Wed Aug 15 00:02:43 UTC 2012

Hi Ondřej,

> On Tue, Aug 14, 2012 at 2:50 AM, Charles Plessy <plessy at debian.org> wrote:
> Yes, I will probably add NEWS file to php5-cgi. Do you already have some
> text which can be added to release notes or we still need to cook something
> up? I would like to keep this text in sync.

For the moment there is the draft proposed by Christoph at http://bugs.debian.org/674089#66

mime-types package dropped non-standard definitions for PHP that might
affect any systems using PHP
The package mime-types has dropped the following non-standard
application/x-httpd-php                        phtml pht php
application/x-httpd-php-source                 phps
application/x-httpd-php3                       php3
application/x-httpd-php3-preprocessed          php3p
application/x-httpd-php4                       php4
application/x-httpd-php5                       php5

Systems, especially webservers (including but possibly not limited to
the Apache HTTPD Server) may have used this to mark files as having the
a PHP Internet Media Type (commonly known as MIME type).
They may have used it further, to determine that such files are to be
interpreted by PHP rather than served as normal files.

If a webserver would not consider these files to be interpreted anymore
this would have at least the following effects:
- PHP web programs/sites no longer work
- PHP files are directly exposed, which may be a security problem

In order to avoid any problems, read the README.Debian from the
php5-common package on how to correctly configure PHP (examples are
provided for the Apache HTTPD Server) and take care, that and PHP files
intended to be interpreted are recognised as such (typically by adding
MIME-Type or handler definitions in the webserver configuration).

More information can be found in bug #674089 and partially in #674205.

Once we have a final text, and once you have added a NEWS file to php5-cgi (or
decided to not do so), I will take care of doublechecking on debian-devel and
debian-release that there is a rough consensus for our approach.

By the way, may I ask you a favor ?

In http://bugs.debian.org/661240, filed on mime-support, a user reported that
the upgrade broke his installation of WorPpress in a strange way, where only
some PHP files are executed and others are displayed as source code.  I can't
understand why such a thing would happen, so I do not know what to answer him.
Do you have a suggestion ?

Have a nice day,

Charles Plessy
Tsurumi, Kanagawa, Japan

More information about the pkg-php-maint mailing list