[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: [php-maint] Updating php5 to 5.4.4-5 broke FastCGI setup on my machine

On Sat, Oct 6, 2012 at 9:51 PM, Stefan Fritsch <sf@debian.org> wrote:
> Hi Ondřej,
> I also cannot think of any configuration that would make everyone happy. At
> the moment, I fear this can only be solved by more documentation.
> Maybe one could add such a paragraph to the NEWS entry of php5-cgi 5.4.4-5,
> e.g. before "The standard configuration now also..." :
>   WARNING: The new configuration may override other configuration
>   directives you may have added locally for the .php extension, for
>   example for FastCGI processing. This behavior is caused by <FilesMatch>
>   configuration sections overriding directives appearing in global server
>   or VirtualHost scope. You should review and test your configuration and
>   verify that your php scripts work as expected.

In the end I have used slightly different text with a warning to check
the existing setup foo.php.jpeg vulnerability. Improvements welcome
(as a patch, not as a rant).

+ The new (dummy) php5_cgi configuration uses SetHandler directive and
+ thus it might interfere with your existing custom configuration like
+ FastCGI (mod_fcgid or mod_fastcgi).  In that case please disable
+ php5_cgi module (a2dismod php5_cgi) to reenable the existing
+ functionality of your custom configuration.  It is also advised that
+ you check your custom configuration whether it's not vulnerable to
+ foo.php.jpeg attacks.  The php5_cgi configuration snippet can be used
+ as base - it's important to use FilesMatch or Files directive to
+ limit the handling to the last extension.

I think it became clear that we are stuck with no solution which would
work for anyone, so this is the minimal variant of what we should do
in PHP package.  If somebody comes with better solution (or just tests
the non-magic mime-types as written down by sf in
http://wiki.debian.org/Apache/WheezyMimeTypes), I think we can still
change that before release. But now we at least need more test in

Ondřej Surý <ondrej@sury.org>

Reply to: