[php-maint] Request for review of NEWS and README.Debian in PHP

Tue Aug 21 10:37:32 UTC 2012

Justin,

thank you very much. As always I envy your English language proficiency.

O.

On Tue, Aug 21, 2012 at 11:11 AM, Justin B Rye <jbr at edlug.org.uk> wrote:
> Ondřej Surý wrote:
>> 1. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/php5-cgi.NEWS;hb=HEAD
>
> (Silently fixing articles throughout, but ignoring stylistic issues
> like single quotes and spaces after stops):
>
>>  * As a security measure the default configuration for Apache 2 has been
>>    changed to more strict model.  Only files which has the correct
>                   stricter                           have
>>    extension at the most right place and has a filename (e.g. at least
>>    one character before the extension) are now interpreted by PHP.  For a
>
> Rephrasing:
>      [...] Only files which have the correct
>      rightmost extension, and at least one character in the filename before
>      that extension, are now interpreted by PHP. [...]
>
>>    full list of handled extensions please see Apache 2 configuration.  At
>>    the time of writing this paragraph this includes following regular
>>    expressions:
>
> (Extra comma)
>
> [...]
>>    Previously the default configuration would allow to interpret files
>
> Objectless "allow" isn't allowed.
>
>>    with double extension where the second extension would be either
>>    unknown or language or content encoding.  E.g. uploaded file named
>
> s/unknown/unrecognised/
>
>>    blackhat.php.foobar or index.php.cs would be interpreted by PHP as a
>>    side effect of system MIME-Type definitions.  These non-standard
>      ~ ~ ~ ~ ~ ~
> Surely this "side effect" is part of the whole "previously" thing, not
> just something that belongs in the example?
>
> [...]
>>    The standard configuration now also denies access to files which only
>>    consist of extension and nothing more, e.g. accessing '/.php' would
>>    now return Access Denied instead of output of PHP script.
> [...]
>
> It's the filenames that consist of "extension and nothing more", not
> the files.  (And of course this whole notion of UNIX filenames having
> "extensions" is a creeping MS-DOSism, but this isn't the place to moan
> about that.)
>
> [...]
>> 2. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/NEWS;hb=HEAD
> [...]
>
> Not much work here:
>> Please be aware that the mime-types package dropped non-standard
>                                              ^has
> and an s/and also/as well as/ later on.
>
>> 3. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/php5-common.README.Debian;hb=HEAD
>
> I did a few minor tweaks to other parts of this file, such as
> s/eg./e.g./, s/php/PHP/, s/sapi/SAPI/.  Here the standard appears to
> be single-spaced sentences...
>
>>   In simple cases, what you probably want isn't php5-cgi package at
>>   all, but rather the libapache2-mod-php5 package, which will
>>   configure itself on installation and Just Work(tm). If, however, you
>                                                         However, if\n you
> [...]
>>   More recent way of doing this is to install php5-fpm package and use
>
> I would suggest:
>     The current recommended approach is to install the php5-fpm package
>     and use
>
>>   FastCGI to interface of your webserver.  However you will have to
>                          to
>>   use libapache2-mod-fastcgi package (from non-free) or different
>>   FastCGI capable webserver (f.e. nginx or lighttpd) since
>                                ^^^^
> No such abbreviation; just use English "such as".
>
>>   libapache2-mod-fcgid available from main archive has no way how to
>>   interact with external FastCGI servers.
>
>     [...] has no way of interacting [...]
>
> [...]
>>   You should also be aware, that a server deployed in CGI mode is open
>                             X
>>   to several possible vulnerabilities, see upstream CGI security page
>                                        . See
>>   to learn ow to defend yourself from such attacks:
>              how
>>   http://www.php.net/manual/en/security.cgi-bin.php
> [...]
>>   4) It's advised to not mix&match multiple SAPIs (f.e. php5-cgi and
>                            mix-and-match             such as
>>      libapache2-mod-php5) in the same apache2 configuration as it is
>>      likely to create unpredictable results.
>>
>
>
> --
> JBR     with qualifications in linguistics, experience as a Debian
>         sysadmin, and probably no clue about this particular package
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint

-- 
Ondřej Surý <ondrej at sury.org>