[php-maint] Bug#674089: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Stefan Fritsch sf at debian.org
Wed Aug 15 22:24:12 UTC 2012

On Wednesday 15 August 2012, Christoph Anton Mitterer wrote:
> On Wed, 2012-08-15 at 21:07 +0200, Stefan Fritsch wrote:
> > Since we have gone to great pains to not use the magic MIME types
> > anymore, I think we should not recommend them here. Or at least
> > not as the first option.
> Stefan, can you please elaborate on what you mean with magic MIME
> types? (you're talking about MIME type discovery via libmagic or
> similar? That would be not what's suggested above!)

The mime types that are also handler names and cause mod_php to 
execute scripts, i.e. application/x-httpd-php and application/x-httpd-
php-source. Using these as mime types is dangerous because they may 
also cause things named like foo.php.bar to be executed.

More information about the pkg-php-maint mailing list