Re: release critical bug in apache2.2?
On 05.11.2006 14:04 schrieb Mike Hommey:
> On Sun, Nov 05, 2006 at 01:38:21PM +0100, Bastian Venthur <firstname.lastname@example.org> wrote:
>> On 02.11.2006 20:16 schrieb sean finney:
>>> On Thu, 2006-11-02 at 19:20 +0100, Mike Hommey wrote:
>>>> Auto-indexes are enabled only in /var/www/apache2-default and
>>>> /usr/share/apache2/icons by default, so it is not likely to leak any
>>>> unexpected file list.
>>>> So no, that doesn't grant an RC bug for these reasons.
>>>> On the other hand, it breaks configurations that used to work... (sites
>>>> relying on this index.php setting will get 403 errors after upgrade from
>>> i imagine the apache maintainers will argue that it should be either (a)
>>> the webapp package or (b) the php apache module's repsonsibility
>>> to specify the additional DirectoryIndex.
>>> iirc DirectoryIndex does/can append to the list of index files, right?
>>> if so i'd have no problem slipping this into the php/apache module
>>> configuration files if that's the agreed course of action. but whether
>>> or not this makes it to etch is an open question.
>> Is it possible that adding an updated DirectoryIndex does not fix the
>> whole bug? Although it fixes the problem that index.php files are not
>> recognized when entering a certain directory, I noticed that accessing a
>> php file directly like
>> The file does not get executed as expected, but the browser wants to
>> download it (which might be a security issue).
> Then it is likely that you don't have php installed.
Here is what I've installed:
# dpkg --list | grep php | cut -d " " -f -3
# cat /etc/apache2/sites-enabled/wiki
# Workaround #393913
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml
The index.php lies directly in /var/www/wiki/
The rest is pretty much standard configuration and worked perfectly
Again, I'm certainly no apache-pro but I think something is wrong here
and since this is already in testing we should make sure to fix it
before it gets stable.
Bastian Venthur http://venthur.de
Debian Developer venthur at debian org