[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: release critical bug in apache2.2?

On 02.11.2006 20:16 schrieb sean finney:
> On Thu, 2006-11-02 at 19:20 +0100, Mike Hommey wrote:
>> Auto-indexes are enabled only in /var/www/apache2-default and
>> /usr/share/apache2/icons by default, so it is not likely to leak any
>> unexpected file list.
>> So no, that doesn't grant an RC bug for these reasons.
>> On the other hand, it breaks configurations that used to work... (sites
>> relying on this index.php setting will get 403 errors after upgrade from
>> 2.0)
> i imagine the apache maintainers will argue that it should be either (a)
> the webapp package or (b) the php apache module's repsonsibility
> to specify the additional DirectoryIndex.
> iirc DirectoryIndex does/can append to the list of index files, right?
> if so i'd have no problem slipping this into the php/apache module
> configuration files if that's the agreed course of action.  but whether
> or not this makes it to etch is an open question.

Is it possible that adding an updated DirectoryIndex does not fix the
whole bug? Although it fixes the problem that index.php files are not
recognized when entering a certain directory, I noticed that accessing a
php file directly like


The file does not get executed as expected, but the browser wants to
download it (which might be a security issue).



Bastian Venthur                                      http://venthur.de
Debian Developer                                 venthur at debian org

Reply to: