Le Thu, Aug 16, 2012 at 01:14:58AM +0200, Christoph Anton Mitterer a écrit : > On Thu, 2012-08-16 at 00:24 +0200, Stefan Fritsch wrote: > > > Stefan, can you please elaborate on what you mean with magic MIME > > > types? (you're talking about MIME type discovery via libmagic or > > > similar? That would be not what's suggested above!) > > > > The mime types that are also handler names and cause mod_php to > > execute scripts, i.e. application/x-httpd-php and application/x-httpd- > > php-source. Using these as mime types is dangerous because they may > > also cause things named like foo.php.bar to be executed. > > Well the same is (IIRC) the case when you use handlers? No? > > Anyway,... the configuration snippets I proposed in #674205 are _NOT_ > vulnerable to the issue you describe, even though using AddType. > btw: I've emphasised this several times already,...
Dear all, is the following summary accurate ? - In Squeeze, using default configurations, files with ".php" in their name such as "foo.php.jpeg" are executed as PHP scripts by the Apache web server. - To solve that problem, the media (MIME) type for PHP has been removed from /etc/mime.types (http://bugs.debian.org/589384). - This breaks the websites executing PHP scripts through php5-cgi, and a solution will be documented in the php5 package's NEWS file, and the same text will be proposed to the release notes (http://bugs.debian.org/674089, work in progress). - Unfortunately, the proposed solution exposes these websites to the original problem that caused the PHP media types to be removed from /etc/mime.types. If the last point is true, I wonder how the other distributions are solving it, given that in Fedora and Ubuntu, /etc/mime.types also does not contain the PHP media types. Can somebody investigate ? I think that I do not understand the problem well enough to be that person. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
