Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 674089@bugs.debian.org, Raphael Geissert <geissert@debian.org>, Thijs Kinkhorst <thijs@debian.org>, debian-apache@lists.debian.org
Subject: Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
From: Stefan Fritsch <sf@debian.org>
Date: Fri, 1 Jun 2012 16:16:15 +0200
Message-id: <[🔎] 201206011616.15374.sf@debian.org>
In-reply-to: <1338481999.3327.24.camel@fermat.scientia.net>
References: <20120523005959.21440.1122.reportbug@heisenberg.scientia.net> <CAJHDDhGOOQcQoSNscnZgFCKFgo1UgWdPFbahas-uX_POK709PA@mail.gmail.com> <1338481999.3327.24.camel@fermat.scientia.net>

On Thursday 31 May 2012, Christoph Anton Mitterer wrote:
> So from my side I'd say the following:
> 
> 1) IF a change like this happens,.. it definitely must go to the
> NEWS file, as - in the case of Apache HTTPD Server - it can even
> have security relevant outcomes.
> So Brian, as long as this change stays, could you please add such
> information?

Documenting this in a prominent place is a good idea. I would vote for 
the release notes plus either apache2 or mod_php NEWS file. It seems 
exessive to have it in the mime-support NEWS file since it is just 
noise to all non-apache2 users.

> 
> 2) I Agree with Thijs (IIRC it was him) comment, that there are
> security implications in apache, i.e. that the mime.types file
> _alone_ would also have files like foo.php.jpeg marked as
> application/x-httpd-php and therefore possibly interpreted as PHP
> code (which is well known, but stupid and dangerous anyway.
> But that's easy to solve, see below.
> 
> 3) Given that mime.types may be used by many programs, which may
> want to know about PHP files as well... it's a bad idea to fix
> Apache HTTPD's stupidity (well at least "difficult" extension
> handling) by removing types from mime.types.

The x-httpd- types are really historic ballast from the time there was 
no separate way to configure the handler (Apache 1.3.x or even 1.2.x). 
Because of their special properties, they are called magic MIME types 
in apache httpd. Therefore I think they should be considered an 
internal (and deprecated) implementation detail of apache httpd and 
should not be used as real MIME types anywhere else.

As #589384 explained, declaring them globally is bad for security. And 
it would be really strange to set these magic types globally just to 
remove them with "RemoveType php" again in the default apache2 
configuration.

But adding a different type for .php to /etc/mime.types is fine with 
me. There is some discussion at http://cweiske.de/tagebuch/php-
mimetype.htm which type may be best. Both text/x-php and 
application/x-php seem ok to me.

Cheers,
Stefan

Reply to:

Follow-Ups:
- Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Next by Date: Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Next by thread: Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Index(es):
- Date
- Thread