[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems

On Sat, 2012-08-04 at 12:44 +0900, Charles Plessy wrote:
> do I understand correctly that the problem would be solved by documenting the
> change in the release notes ?
Well as said, I do _NOT_ consider this to be enough (see my previous
mail for my proposed steps).


> If yes, can somebody write a draft and reassign this bug to the release-notes
> packages ?

What about:
-------------------------------------------------------
mime-types package dropped non-standard definitions for PHP that might
affect any systems using PHP
---
The package mime-types has dropped the following non-standard
definitions:
application/x-httpd-php                        phtml pht php
application/x-httpd-php-source                 phps
application/x-httpd-php3                       php3
application/x-httpd-php3-preprocessed          php3p
application/x-httpd-php4                       php4
application/x-httpd-php5                       php5

Systems, especially webservers (including but possibly not limited to
the Apache HTTPD Server) may have used this to mark files as having the
a PHP Internet Media Type (commonly known as MIME type).
They may have used it further, to determine that such files are to be
interpreted by PHP rather than served as normal files.

If a webserver would not consider these files to be interpreted anymore
this would have at least the following effects:
- PHP web programs/sites no longer work
- PHP files are directly exposed, which may be a security problem


In order to avoid any problems, read the README.Debian from the
php5-common package on how to correctly configure PHP (examples are
provided for the Apache HTTPD Server) and take care, that and PHP files
intended to be interpreted are recognised as such (typically by adding
MIME-Type or handler definitions in the webserver configuration).

More information can be found in bug #674089 and partially in #674205.
-------------------------------------------------------

As you can see, I personally would put the burden of explaining how to
(securely) configure PHP to the PHP packages...
I have some discussions about that with Ondřej in #674205 ... I'm not
yet fully happy with it (see there)... and although he closed the bug
and said he'd have applied some of my proposals, I could not yet find
these changes there.


I haven't yet reassigned the bug, as I think my other steps of what I
think should be done will get finally lost then.


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: