Hey folks. How are things going with this issue? I guess what I propose here (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#35) is the best/safest way to go: 1) something in the release notes 2) the NEWS files of at least mime-types, apache, php5-common (mod_php is not enough) likely also lighthttpd... maybe even more (nautilus? everything using mime-types?) 3) don't then add any "default" PHP type/handler definitions in the apache config... remove any existing ones. Optionally: 4) Add back a php mime type to mime-types. As outline above... I strongly suggest: application/x-php for this: Neither text/*... nor */php. The root of this bug is obviously a) apache's strang handling of mime-types and handlers and b) lack of clear _and_ safe rules provided by php upstream/deb-package for the end user, on how to enable php. 5) As noted before, I've opened #674205,... where I suggest the IMHO, safest way to get PHP enabled in Apache (there for CGI)... We should lobby the PHP Debian maintainers to add to what I propose there... and also add according documentation for non-CGI php, mainly this: #Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”). RemoveType php <Files ?*.php> AddType application/x-httpd-php php </Files> wihtout the ScriptAlias and Action. See that bug which explains the motivation behind the Remove Type and the Files section Cheers, Chris.
Description: S/MIME cryptographic signature