Hey folks.
How are things going with this issue?
I guess what I propose here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674089#35) is the
best/safest way to go:
1) something in the release notes
2) the NEWS files of at least
mime-types, apache, php5-common (mod_php is not enough)
likely also lighthttpd... maybe even more (nautilus? everything using
mime-types?)
3) don't then add any "default" PHP type/handler definitions in the
apache config... remove any existing ones.
Optionally:
4) Add back a php mime type to mime-types.
As outline above... I strongly suggest:
application/x-php
for this:
Neither text/*... nor */php.
The root of this bug is obviously a) apache's strang handling of
mime-types and handlers and b) lack of clear _and_ safe rules provided
by php upstream/deb-package for the end user, on how to enable php.
5) As noted before, I've opened #674205,... where I suggest the IMHO,
safest way to get PHP enabled in Apache (there for CGI)...
We should lobby the PHP Debian maintainers to add to what I propose
there... and also add according documentation for non-CGI php, mainly
this:
#Note: The following is a security measure to remove any possible
mappings that would also apply on “middle extensions” (for example
“test.php.png”).
RemoveType php
<Files ?*.php>
AddType application/x-httpd-php php
</Files>
wihtout the ScriptAlias and Action.
See that bug which explains the motivation behind the Remove Type and the Files section
Cheers,
Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature