Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: debian-apache@lists.debian.org, 674089@bugs.debian.org, Raphael Geissert <geissert@debian.org>, Thijs Kinkhorst <thijs@debian.org>
Subject: Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
From: Stefan Fritsch <sf@debian.org>
Date: Sat, 2 Jun 2012 16:48:18 +0200
Message-id: <[🔎] 201206021648.18607.sf@debian.org>
In-reply-to: <[🔎] 1338564115.3324.16.camel@fermat.scientia.net>
References: <20120523005959.21440.1122.reportbug@heisenberg.scientia.net> <[🔎] 201206011616.15374.sf@debian.org> <[🔎] 1338564115.3324.16.camel@fermat.scientia.net>

On Friday 01 June 2012, Christoph Anton Mitterer wrote:
> Release notes is a good idea, Stefan, Brian... can anyone of you
> take care of this or should I (but I'm on vacation starting next
> Tue, so that would take some time).

There is still plenty of time. If you get to it first please cc: 
debian-apache@lists.debian.org so that we may comment on the wording.

> >  either apache2 or mod_php NEWS file. It seems
> > 
> > exessive to have it in the mime-support NEWS file since it is
> > just noise to all non-apache2 users.
> 
> I'm not sure whether I can agree...
> At least mod_php is not enough,... people seem to always forget
> that it's totally ok (and IMHO from a security point of view even
> much better) to run PHP as CGI.

OK, make that mod_php and php-cgi. AFAICS the type is not relevant for 
FCGI.

> 
> Neither am I sure, whether Apache is enough, there may be other
> webservers in Debian that could use mime.types (though I haven't
> checked this).

I haven't found any hint that that type is relevant for either 
lighttpd or nginx. And the change has been quite some time ago and 
nobody has complained so far.

> > see below.
> 
> Stefan, you haven't commented on this...
> I've already opened #674205, where I ask the php people to include
> what I'd consider the "safest/best" way to handle PHP mime-type in
> Apache.

Except for the "RemoveType php" your suggestion is not very different 
from what is in mod_php's config already. And I disagree about mime-
type versus handler: This is exactly what handlers are for. The fact 
that mime-types also work is only for backward compatibility.

> IF mime.types will really ship no further definitions for PHP  AND 
> if that change is accordingly documented in release-notes/NEWS
> file(s) than I think there should be no definitions for PHP in
> Apache's default configs at all.

Hu? Apache's default config has only minimal php relevant elements 
(SSLOptions +StdEnvVars, DirectoryIndex index.php). But mod_php should 
certainly include everything in it config that is necessary to make it 
work.

> But we should perhaps check (how?) whether any other packages have
> started to use that mime type (things like nautilus/file/etc.)

I can see no reason that other apps may handle it specially and none 
has complained so far.

Cheers,
Stefan

Reply to:

References:
- Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
  - From: Stefan Fritsch <sf@debian.org>
- Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Scapa de factura la curent
Next by Date: Suggestion pour votre site web
Previous by thread: Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Next by thread: Processed: retitle 673357 to libatlas3-base: fails to install: update-alternatives: error: alternative path /usr/lib/atlas-base/atlas/libblas.so.3 doesn't exist ...
Index(es):
- Date
- Thread