Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
On Thursday 31 May 2012, Christoph Anton Mitterer wrote:
> So from my side I'd say the following:
>
> 1) IF a change like this happens,.. it definitely must go to the
> NEWS file, as - in the case of Apache HTTPD Server - it can even
> have security relevant outcomes.
> So Brian, as long as this change stays, could you please add such
> information?
Documenting this in a prominent place is a good idea. I would vote for
the release notes plus either apache2 or mod_php NEWS file. It seems
exessive to have it in the mime-support NEWS file since it is just
noise to all non-apache2 users.
>
> 2) I Agree with Thijs (IIRC it was him) comment, that there are
> security implications in apache, i.e. that the mime.types file
> _alone_ would also have files like foo.php.jpeg marked as
> application/x-httpd-php and therefore possibly interpreted as PHP
> code (which is well known, but stupid and dangerous anyway.
> But that's easy to solve, see below.
>
> 3) Given that mime.types may be used by many programs, which may
> want to know about PHP files as well... it's a bad idea to fix
> Apache HTTPD's stupidity (well at least "difficult" extension
> handling) by removing types from mime.types.
The x-httpd- types are really historic ballast from the time there was
no separate way to configure the handler (Apache 1.3.x or even 1.2.x).
Because of their special properties, they are called magic MIME types
in apache httpd. Therefore I think they should be considered an
internal (and deprecated) implementation detail of apache httpd and
should not be used as real MIME types anywhere else.
As #589384 explained, declaring them globally is bad for security. And
it would be really strange to set these magic types globally just to
remove them with "RemoveType php" again in the default apache2
configuration.
But adding a different type for .php to /etc/mime.types is fine with
me. There is some discussion at http://cweiske.de/tagebuch/php-
mimetype.htm which type may be best. Both text/x-php and
application/x-php seem ok to me.
Cheers,
Stefan
Reply to: