Re: Fixing stupid PHP application design flaws
On Thu, 28 Apr 2005, Martin Schulze wrote:
> What do people on this list think about fixing PHP include files in a
> DSA that are accessible via HTTP as well and contain one bug or
> another as they are not supposed to be accessible via HTTP but
> accidently are.
I think not only we should do it, we should also make a big fuss about it,
so that some of the PHP people out there at least have a chance to get the
Also, as a service for ourselves and our users, IMHO we should be making it
explicitly RC (after sarge, maybe?) to have *any* configuration file or
include file in a tree that is exported via a webserver in *any* webserver
application (so this is not a PHP-only fix, although that specific kind of
braindamage seems to be 99% the fault of the PHP community nowadays...).
I.e. IMHO, if it is to be included in Debian, either the maintainer or
upstream has to get their act clean first, or it is not even allowed in.
> These files should not be accessible via HTTP in the first place but
> put into /usr/share/something instead and included from there.
Not to mention all the config files which should be in /etc and never *ever*
accessible from outside either. We do have to deal with php_safemode
braindead semi-chrooting somehow, though.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot