[php-maint] Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation

Christoph Anton Mitterer calestyo at scientia.net
Wed May 23 20:24:23 UTC 2012


Package: php5-common
Version: 5.4.3-5
Severity: wishlist


Hi.

Currently, README.Debian documents the setup of CGI with Apache like this:
     <IfModule mod_actions.c>
       ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
       Action php5-cgi /cgi-bin/php5-cgi
       AddHandler php5-cgi .php
     </IfModule>


May I suggest to change it to:
-------------------------------------------------------
#Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
RemoveType php
<Files ?*.php>
        AddType application/x-httpd-php php
</Files>

ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
Action php5-cgi /cgi-bin/php5-cgi
-------------------------------------------------------


Motivation:
- Conditionally including (<IfModule mod_actions.c>) can be dangerous:
  If modaction is not loaded, no handler is set and any .php files will be served
  as normal files.
  While it's certainly a bad idea to rely on the php files being secret, many still have
  the bad habbit of storing sensitive information in them.

- AddHandler php5-cgi .php alone makes that any file that has the "php" extension at any
  place, e.g. also example.php.jpeg being interpreted by php, which can lead to the usual
  security attacks.
  Putting that in a <Files ?*.php> block, prevents this and only files ending in ".php"
  (which excludes the file ".php" itself) will be interpreted.

- The "RemoveType php" removes any previous possible mappings that may also affect the
  "middle extensions".
  The current /etc/mime.types file in Debian does not longer set a MIME type for PHP so
  with that one it's not a problem,... but IMHO that should return to mime.types as it's
  not the business of that file to secure the strange extensions handling from apache.

- I personally prefer setting a MIME type instead of a handler... which has the advantage
  that if one really want's to serve (and not interpret) .php files... the definition is
  then already in place :)



Cheers,
Chris.





More information about the pkg-php-maint mailing list