[php-maint] Bug#674089: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Ondřej Surý
ondrej at debian.org
Wed Aug 15 08:40:45 UTC 2012
On Wed, Aug 15, 2012 at 4:34 AM, Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
> On Wed, 2012-08-15 at 09:02 +0900, Charles Plessy wrote:
>> For the moment there is the draft proposed by Christoph at http://bugs.debian.org/674089#66
> I should note perhaps, that this draft expected all the proposals I made
> in #674205 to be in place, which they were not yet, when I've looked the
> last time.
With the exception of RemoteType php they are all in the place.
Thanks for the text, I will use it as a base for NEWS in php5-cgi.
This is the final text which I have commited to git repository:
php5 (5.4.4-5) unstable; urgency=low
Please be aware that mime-types package dropped non-standard
definitions for PHP that might affect any systems using PHP 5
running as CGI or FastCGI.
The package mime-types has dropped the following non-standard
definitions:
application/x-httpd-php phtml pht php
application/x-httpd-php-source phps
application/x-httpd-php3 php3
application/x-httpd-php3-preprocessed php3p
application/x-httpd-php4 php4
application/x-httpd-php5 php5
Systems, especially webservers (including but possibly not limited to
the Apache HTTPD Server) may have used this to mark files as having
the a PHP Internet Media Type (commonly known as MIME type). They
may have used it further, to determine that such files are to be
interpreted by PHP rather than served as normal files.
If a webserver would not consider these files to be interpreted
anymore this would have at least the following effects:
- PHP web programs/sites no longer work as expected
- PHP files might be directly exposed, which may be a security
problem
In order to avoid any problems when not using Apache PHP5 module, and
if you relied on MIME type definitions, read the README.Debian from
the php5-common package on how to correctly configure PHP 5 running
as a CGI or FastCGI (examples are provided for the Apache HTTPD
Server) and take care, that and PHP files intended to be interpreted
are recognised as such (typically by adding MIME-Type or handler
definitions in the webserver configuration).
-- Ondřej Surý <ondrej at debian.org> Wed, 15 Aug 2012 10:31:31 +0200
O.
--
Ondřej Surý <ondrej at sury.org>
More information about the pkg-php-maint
mailing list