[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

Hey folks.

How are things going with this issue?

I guess what I propose here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#35) is the
best/safest way to go:

1) something in the release notes
2) the NEWS files of at least
  mime-types, apache, php5-common (mod_php is not enough)
  likely also lighthttpd... maybe even more (nautilus? everything using
3) don't then add any "default" PHP type/handler definitions in the
apache config... remove any existing ones.

4) Add back a php mime type to mime-types.
As outline above... I strongly suggest:
for this:
Neither text/*... nor */php.

The root of this bug is obviously a) apache's strang handling of
mime-types and handlers and b) lack of clear _and_ safe rules provided
by php upstream/deb-package for the end user, on how to enable php.

5) As noted before, I've opened #674205,... where I suggest the IMHO,
safest way to get PHP enabled in Apache (there for CGI)...

We should lobby the PHP Debian maintainers to add to what I propose
there... and also add according documentation for non-CGI php, mainly
#Note: The following is a security measure to remove any possible
mappings that would also apply on “middle extensions” (for example
RemoveType php
<Files ?*.php>
        AddType application/x-httpd-php php

wihtout the ScriptAlias and Action.

See that bug which explains the motivation behind the Remove Type and the Files section


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: