On Thursday 31 May 2012, Christoph Anton Mitterer wrote: > So from my side I'd say the following: > > 1) IF a change like this happens,.. it definitely must go to the > NEWS file, as - in the case of Apache HTTPD Server - it can even > have security relevant outcomes. > So Brian, as long as this change stays, could you please add such > information?
Documenting this in a prominent place is a good idea. I would vote for the release notes plus either apache2 or mod_php NEWS file. It seems exessive to have it in the mime-support NEWS file since it is just noise to all non-apache2 users. > > 2) I Agree with Thijs (IIRC it was him) comment, that there are > security implications in apache, i.e. that the mime.types file > _alone_ would also have files like foo.php.jpeg marked as > application/x-httpd-php and therefore possibly interpreted as PHP > code (which is well known, but stupid and dangerous anyway. > But that's easy to solve, see below. > > 3) Given that mime.types may be used by many programs, which may > want to know about PHP files as well... it's a bad idea to fix > Apache HTTPD's stupidity (well at least "difficult" extension > handling) by removing types from mime.types. The x-httpd- types are really historic ballast from the time there was no separate way to configure the handler (Apache 1.3.x or even 1.2.x). Because of their special properties, they are called magic MIME types in apache httpd. Therefore I think they should be considered an internal (and deprecated) implementation detail of apache httpd and should not be used as real MIME types anywhere else. As #589384 explained, declaring them globally is bad for security. And it would be really strange to set these magic types globally just to remove them with "RemoveType php" again in the default apache2 configuration. But adding a different type for .php to /etc/mime.types is fine with me. There is some discussion at http://cweiske.de/tagebuch/php- mimetype.htm which type may be best. Both text/x-php and application/x-php seem ok to me. Cheers, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
