[php-maint] Bug#674089: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Ondřej Surý ondrej at debian.org
Wed Aug 15 08:40:45 UTC 2012

On Wed, Aug 15, 2012 at 4:34 AM, Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
> On Wed, 2012-08-15 at 09:02 +0900, Charles Plessy wrote:
>> For the moment there is the draft proposed by Christoph at http://bugs.debian.org/674089#66
> I should note perhaps, that this draft expected all the proposals I made
> in #674205 to be in place, which they were not yet, when I've looked the
> last time.

With the exception of RemoteType php they are all in the place.

Thanks for the text, I will use it as a base for NEWS in php5-cgi.

This is the final text which I have commited to git repository:

php5 (5.4.4-5) unstable; urgency=low

 Please be aware that mime-types package dropped non-standard
 definitions for PHP that might affect any systems using PHP 5
 running as CGI or FastCGI.

 The package mime-types has dropped the following non-standard

  application/x-httpd-php                        phtml pht php
  application/x-httpd-php-source                 phps
  application/x-httpd-php3                       php3
  application/x-httpd-php3-preprocessed          php3p
  application/x-httpd-php4                       php4
  application/x-httpd-php5                       php5

 Systems, especially webservers (including but possibly not limited to
 the Apache HTTPD Server) may have used this to mark files as having
 the a PHP Internet Media Type (commonly known as MIME type).  They
 may have used it further, to determine that such files are to be
 interpreted by PHP rather than served as normal files.

 If a webserver would not consider these files to be interpreted
 anymore this would have at least the following effects:
  - PHP web programs/sites no longer work as expected
  - PHP files might be directly exposed, which may be a security

 In order to avoid any problems when not using Apache PHP5 module, and
 if you relied on MIME type definitions, read the README.Debian from
 the php5-common package on how to correctly configure PHP 5 running
 as a CGI or FastCGI (examples are provided for the Apache HTTPD
 Server) and take care, that and PHP files intended to be interpreted
 are recognised as such (typically by adding MIME-Type or handler
 definitions in the webserver configuration).

 -- Ondřej Surý <ondrej at debian.org>  Wed, 15 Aug 2012 10:31:31 +0200

Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list