Re: release critical bug in apache2.2?

To: debian-devel@lists.debian.org
Subject: Re: release critical bug in apache2.2?
From: Jean-Christophe Dubacq <jcdubacq1@free.fr>
Date: Fri, 3 Nov 2006 07:43:36 +0100
Message-id: <[🔎] 20061103064336.GA21674@penpen.tenebreuse.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20061102182011.GA30694@glandium.org>
References: <[🔎] eicvi7$te7$1@sea.gmane.org> <[🔎] 20061102182011.GA30694@glandium.org>

On Thu, Nov 02, 2006 at 07:20:12PM +0100, Mike Hommey wrote:
> On Thu, Nov 02, 2006 at 03:32:39PM +0100, Bastian Venthur <expires-2007@venthur.de> wrote:
> > Hi
> > 
> > I've just upgraded #393913 from minor to important.
> > 
> >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393913
> > 
> > Somebody just mailed me that this bug is release critical since it
> > allows to read/download php-scripts (like index.php).
> > 
> > Can somebody confirm that this bug is RC or should I just keep it important?
> 
> DirectoryIndex tells apache which file(s) it may use when the url points
> to a directory, instead of creating an index of the directory itself, if
> allowed to.
> 
> The default value for DirectoryIndex is index.html, which
> obviously forgets index.php. But that doesn't mean index.php will be
> readable as source. It only means that the auto index will be displayed
> if no index.html is present and if allowed to.
> 
> Auto-indexes are enabled only in /var/www/apache2-default and
> /usr/share/apache2/icons by default, so it is not likely to leak any
> unexpected file list.
> 
> So no, that doesn't grant an RC bug for these reasons.
> 
> On the other hand, it breaks configurations that used to work... (sites
> relying on this index.php setting will get 403 errors after upgrade from
> 2.0)

I remember that since the change, I had to make changes to several php
applications, because at the same time the default configuration did not
include any configuration in the case where php is not installed as
module but (e.g.) as CGI. phpmyadmin by default had a snippet in
.htaccess that was basically:
    <IfModule mod_cgi.c>
        AddType application/x-httpd-php .php

        Action application/x-httpd-php /cgi-bin/php
    </IfModule>
    <IfModule mod_cgid.c>
        AddType application/x-httpd-php .php

        Action application/x-httpd-php /cgi-bin/php
    </IfModule>

I had to put something of the same sort in phppgaccess, for example, as
well as DirectoryIndex index.php.

Since the change for DirectoryIndex happend at the same time, it might
be this that the user has seen. So the disappearance of index.php may
not be RC; however, the treatement of php as CGI is more likely to be
RC.

Reply to:

Follow-Ups:
- Re: release critical bug in apache2.2?
  - From: Mike Hommey <mh@glandium.org>

References:
- release critical bug in apache2.2?
  - From: Bastian Venthur <expires-2007@venthur.de>
- Re: release critical bug in apache2.2?
  - From: Mike Hommey <mh@glandium.org>

Prev by Date: Bug#396801: ITP: haskell-hxt -- Haskell XML Toolbox libraries
Next by Date: Re: release critical bug in apache2.2?
Previous by thread: Re: release critical bug in apache2.2?
Next by thread: Re: release critical bug in apache2.2?
Index(es):
- Date
- Thread