Hi all, [multiple messages from d-d and d-r merged together]
> I am also concerned that a *simple* solution to restore the old > behaviour in a secure way is not provided: maybe php5-cgi should install > a sensible default configuration in /etc/apache2/conf.d/ ? I have prepared new update for PHP based on comments from d-d. The commit is here: http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a To sum the changes: - create dummy php5_cgi module, which has the required configuration inside - enable this module if upgrading from anything older than 5.4.4-5 - the module is not enabled on fresh installs (user has to enable it manually) - update NEWS.Debian to: php5 (5.4.4-5) unstable; urgency=low Please be aware that the mime-types package dropped non-standard definitions for PHP that might affect any systems using PHP 5 running as CGI or FastCGI. Following definitions were dropped: application/x-httpd-php phtml pht php application/x-httpd-php-source phps application/x-httpd-php3 php3 application/x-httpd-php3-preprocessed php3p application/x-httpd-php4 php4 application/x-httpd-php5 php5 The php5-cgi package mitigates any known issues by creating a (dummy) apache2 module php5_cgi with a configuration containing handlers for all previously defined extensions. Even though we believe that this configuration should keep your PHP scripts interpreted, it might be a good idea to check your apache2 site-wide configuration and also any specific PHP configuration for websites running on your system. As far as we know definitions from the mime-types packages are not used in any other webserver included in Debian, but it might affect any application which relies on system MIME types to interpret PHP files. -- Ondřej Surý <ond...@debian.org> Wed, 15 Aug 2012 10:31:31 +0200 - Update the README.Debian to match current state. I will upload this change as part of 5.4.6-1 upload to Debian experimental and if everything is ok, I'll merge it back to 5.4.4-5 targeted to unstable->testing. > As far as the mime-support package is concerned, I think that we reached the > consensus that we will not add the entries back, and that the consequences > will > be documented in the php5-cgi package's NEWS file and in the release notes. I agree on that, even though I think that PHP should have it's own mimetype definition (same as python or perl, e.g. application/x-php, but let's keep this discussion out of this issue, since it's something different). > I guess we could consider that for a very specific, low-popcon package. > But knowingly interrupting upgrades for a well-known problem, on a very > high number of systems? I'm not sure that's appropriate. Quite the > opposite, actually. I believe that update that I just did should solve any backwards compatibility issues. (Crossed fingers... have to do thourough testing first, I tend to make mistakes from time to time.) > Many of the users of php5-cgi will be doing so because they are using other > web servers. The discussion in #674089 seems to mainly revolve around > Apache. How does this affect other web servers? I am not aware of any other (Debian shipped) web server which uses system-wide mime-types. At least both nginx and lighttpd don't depend on system mime types for interpreting PHP files (both use extension based definitions). > - In Squeeze, using default configurations, files with ".php" in their name > such as "foo.php.jpeg" are executed as PHP scripts by the Apache web > servers > runing PHP scripts through php5-cgi. Charles, did you test that or you base that claim on Christoph's mails? I have just tested both php5-cgi in standard configuration as recommended in README.Debian and this claim doesn't seem to be true: $ wget -q -O - http://localhost:8080/index.php bar $ wget -q -O - http://localhost:8080/index.php.jpeg <?php echo 'foo'; ?> Also Apache2 documentation is very clear on that issue: See http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext > If more than one extension is given that maps onto the same type of > meta-information, then the one to the right will be used, except for > languages and content encodings. For example, if .gif maps to the MIME-type > image/gif and .html maps to the MIME-type text/html, then the file > welcome.gif.html will be associated with the MIME-type text/html. However there could be a problem when you use MIME-type and handler together (which we *don't* use): > Care should be taken when a file with multiple extensions gets associated > with both a MIME-type and a handler. This will usually result in the request > being handled by the module associated with the handler. > Maybe that's because it's expected they would be PHP scripts emitting > JPEG files, not plain JPEG files? This seems like a feature to me, not a > bug. Why was support for that removed? My testing shows that the support for this was NEVER there in the first place; neither in php5-cgi nor in libapache2-mod-php5. (Unless you have jumped through some loops and used custom configuration not recommended by upstream - in that case you will also probably have a configuration which overrides our configuration anyway.) O. P.S.: Ccing me or pkg-php-maint increases the change I will see the message and reply to you. -- Ondřej Surý <ond...@sury.org> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caljhhg9mnn7twcaa2rrqytunqoucime5fcf1tb9xhvsmfop...@mail.gmail.com
