[php-maint] Request for review of NEWS and README.Debian in PHP
Ondřej Surý
ondrej at debian.org
Tue Aug 21 10:37:32 UTC 2012
Justin,
thank you very much. As always I envy your English language proficiency.
O.
On Tue, Aug 21, 2012 at 11:11 AM, Justin B Rye <jbr at edlug.org.uk> wrote:
> Ondřej Surý wrote:
>> 1. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/php5-cgi.NEWS;hb=HEAD
>
> (Silently fixing articles throughout, but ignoring stylistic issues
> like single quotes and spaces after stops):
>
>> * As a security measure the default configuration for Apache 2 has been
>> changed to more strict model. Only files which has the correct
> stricter have
>> extension at the most right place and has a filename (e.g. at least
>> one character before the extension) are now interpreted by PHP. For a
>
> Rephrasing:
> [...] Only files which have the correct
> rightmost extension, and at least one character in the filename before
> that extension, are now interpreted by PHP. [...]
>
>> full list of handled extensions please see Apache 2 configuration. At
>> the time of writing this paragraph this includes following regular
>> expressions:
>
> (Extra comma)
>
> [...]
>> Previously the default configuration would allow to interpret files
>
> Objectless "allow" isn't allowed.
>
>> with double extension where the second extension would be either
>> unknown or language or content encoding. E.g. uploaded file named
>
> s/unknown/unrecognised/
>
>> blackhat.php.foobar or index.php.cs would be interpreted by PHP as a
>> side effect of system MIME-Type definitions. These non-standard
> ~ ~ ~ ~ ~ ~
> Surely this "side effect" is part of the whole "previously" thing, not
> just something that belongs in the example?
>
> [...]
>> The standard configuration now also denies access to files which only
>> consist of extension and nothing more, e.g. accessing '/.php' would
>> now return Access Denied instead of output of PHP script.
> [...]
>
> It's the filenames that consist of "extension and nothing more", not
> the files. (And of course this whole notion of UNIX filenames having
> "extensions" is a creeping MS-DOSism, but this isn't the place to moan
> about that.)
>
> [...]
>> 2. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/NEWS;hb=HEAD
> [...]
>
> Not much work here:
>> Please be aware that the mime-types package dropped non-standard
> ^has
> and an s/and also/as well as/ later on.
>
>> 3. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/php5-common.README.Debian;hb=HEAD
>
> I did a few minor tweaks to other parts of this file, such as
> s/eg./e.g./, s/php/PHP/, s/sapi/SAPI/. Here the standard appears to
> be single-spaced sentences...
>
>> In simple cases, what you probably want isn't php5-cgi package at
>> all, but rather the libapache2-mod-php5 package, which will
>> configure itself on installation and Just Work(tm). If, however, you
> However, if\n you
> [...]
>> More recent way of doing this is to install php5-fpm package and use
>
> I would suggest:
> The current recommended approach is to install the php5-fpm package
> and use
>
>> FastCGI to interface of your webserver. However you will have to
> to
>> use libapache2-mod-fastcgi package (from non-free) or different
>> FastCGI capable webserver (f.e. nginx or lighttpd) since
> ^^^^
> No such abbreviation; just use English "such as".
>
>> libapache2-mod-fcgid available from main archive has no way how to
>> interact with external FastCGI servers.
>
> [...] has no way of interacting [...]
>
> [...]
>> You should also be aware, that a server deployed in CGI mode is open
> X
>> to several possible vulnerabilities, see upstream CGI security page
> . See
>> to learn ow to defend yourself from such attacks:
> how
>> http://www.php.net/manual/en/security.cgi-bin.php
> [...]
>> 4) It's advised to not mix&match multiple SAPIs (f.e. php5-cgi and
> mix-and-match such as
>> libapache2-mod-php5) in the same apache2 configuration as it is
>> likely to create unpredictable results.
>>
>
>
> --
> JBR with qualifications in linguistics, experience as a Debian
> sysadmin, and probably no clue about this particular package
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej at sury.org>
More information about the pkg-php-maint
mailing list