[php-maint] Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation
Christoph Anton Mitterer
calestyo at scientia.net
Wed May 23 20:24:23 UTC 2012
Package: php5-common
Version: 5.4.3-5
Severity: wishlist
Hi.
Currently, README.Debian documents the setup of CGI with Apache like this:
<IfModule mod_actions.c>
ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
Action php5-cgi /cgi-bin/php5-cgi
AddHandler php5-cgi .php
</IfModule>
May I suggest to change it to:
-------------------------------------------------------
#Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
RemoveType php
<Files ?*.php>
AddType application/x-httpd-php php
</Files>
ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
Action php5-cgi /cgi-bin/php5-cgi
-------------------------------------------------------
Motivation:
- Conditionally including (<IfModule mod_actions.c>) can be dangerous:
If modaction is not loaded, no handler is set and any .php files will be served
as normal files.
While it's certainly a bad idea to rely on the php files being secret, many still have
the bad habbit of storing sensitive information in them.
- AddHandler php5-cgi .php alone makes that any file that has the "php" extension at any
place, e.g. also example.php.jpeg being interpreted by php, which can lead to the usual
security attacks.
Putting that in a <Files ?*.php> block, prevents this and only files ending in ".php"
(which excludes the file ".php" itself) will be interpreted.
- The "RemoveType php" removes any previous possible mappings that may also affect the
"middle extensions".
The current /etc/mime.types file in Debian does not longer set a MIME type for PHP so
with that one it's not a problem,... but IMHO that should return to mime.types as it's
not the business of that file to secure the strange extensions handling from apache.
- I personally prefer setting a MIME type instead of a handler... which has the advantage
that if one really want's to serve (and not interpret) .php files... the definition is
then already in place :)
Cheers,
Chris.
More information about the pkg-php-maint
mailing list