Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation

Wed, 23 May 2012 13:27:13 -0700 

Package: php5-common
Version: 5.4.3-5
Severity: wishlist


Hi.

Currently, README.Debian documents the setup of CGI with Apache like this:
     <IfModule mod_actions.c>
       ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
       Action php5-cgi /cgi-bin/php5-cgi
       AddHandler php5-cgi .php
     </IfModule>


May I suggest to change it to:
-------------------------------------------------------
#Note: The following is a security measure to remove any possible mappings that 
would also apply on “middle extensions” (for example “test.php.png”).
RemoveType php
<Files ?*.php>
        AddType application/x-httpd-php php
</Files>

ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
Action php5-cgi /cgi-bin/php5-cgi
-------------------------------------------------------


Motivation:
- Conditionally including (<IfModule mod_actions.c>) can be dangerous:
  If modaction is not loaded, no handler is set and any .php files will be 
served
  as normal files.
  While it's certainly a bad idea to rely on the php files being secret, many 
still have
  the bad habbit of storing sensitive information in them.

- AddHandler php5-cgi .php alone makes that any file that has the "php" 
extension at any
  place, e.g. also example.php.jpeg being interpreted by php, which can lead to 
the usual
  security attacks.
  Putting that in a <Files ?*.php> block, prevents this and only files ending 
in ".php"
  (which excludes the file ".php" itself) will be interpreted.

- The "RemoveType php" removes any previous possible mappings that may also 
affect the
  "middle extensions".
  The current /etc/mime.types file in Debian does not longer set a MIME type 
for PHP so
  with that one it's not a problem,... but IMHO that should return to 
mime.types as it's
  not the business of that file to secure the strange extensions handling from 
apache.

- I personally prefer setting a MIME type instead of a handler... which has the 
advantage
  that if one really want's to serve (and not interpret) .php files... the 
definition is
  then already in place :)



Cheers,
Chris.



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to