Package: libapache2-mod-php5
Version: 5.5.9+dfsg-1
Severity: normal
Tags: patch
It is wise to surround the apache config file with an <IfModule
mod_php5.c> directive, just in case for some bizarre reason the config
script is still enabled even after the module is disabled or the
package removed. Its presence won't harm but might protect. The
attached patch includes this.
More significantly, the config file still uses the apache 2.2
Allow/Deny directives; the attached patch converts these into the
equivalent apache 2.4 directives.
Julian
--- php5.conf.dpkg-dist 2014-02-14 09:08:07.952582773 +0000
+++ php5.conf 2014-02-14 09:09:13.331228344 +0000
@@ -1,3 +1,4 @@
+<IfModule mod_php5.c>
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
@@ -6,13 +7,11 @@
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
- Order Deny,Allow
- Deny from all
+ Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
- Order Deny,Allow
- Deny from all
+ Require all denied
</FilesMatch>
# Running PHP scripts in user directories is disabled by default
@@ -25,3 +24,4 @@
php_admin_flag engine Off
</Directory>
</IfModule>
+</IfModule> # mod_php5.c
