[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: release critical bug in apache2.2?

On 05.11.2006 14:04 schrieb Mike Hommey:
> On Sun, Nov 05, 2006 at 01:38:21PM +0100, Bastian Venthur <venthur@debian.org> wrote:
>> On 02.11.2006 20:16 schrieb sean finney:
>>> On Thu, 2006-11-02 at 19:20 +0100, Mike Hommey wrote:
>>>> Auto-indexes are enabled only in /var/www/apache2-default and
>>>> /usr/share/apache2/icons by default, so it is not likely to leak any
>>>> unexpected file list.
>>>> So no, that doesn't grant an RC bug for these reasons.
>>>> On the other hand, it breaks configurations that used to work... (sites
>>>> relying on this index.php setting will get 403 errors after upgrade from
>>>> 2.0)
>>> i imagine the apache maintainers will argue that it should be either (a)
>>> the webapp package or (b) the php apache module's repsonsibility
>>> to specify the additional DirectoryIndex.
>>> iirc DirectoryIndex does/can append to the list of index files, right?
>>> if so i'd have no problem slipping this into the php/apache module
>>> configuration files if that's the agreed course of action.  but whether
>>> or not this makes it to etch is an open question.
>> Is it possible that adding an updated DirectoryIndex does not fix the
>> whole bug? Although it fixes the problem that index.php files are not
>> recognized when entering a certain directory, I noticed that accessing a
>> php file directly like
>> 	http://somedomain.tld/index.php
>> The file does not get executed as expected, but the browser wants to
>> download it (which might be a security issue).
> Then it is likely that you don't have php installed.

Here is what I've installed:
# dpkg --list | grep php | cut -d " " -f -3
ii  libapache2-mod-php5
ii  php5
ii  php5-common


# cat /etc/apache2/sites-enabled/wiki
<VirtualHost *:80>
    ServerName wiki.localhost
    ServerAlias wiki.*

    DocumentRoot /var/www/wiki/

    # Workaround #393913
    DirectoryIndex index.html index.cgi index.pl index.php index.xhtml

The index.php lies directly in /var/www/wiki/

The rest is pretty much standard configuration and worked perfectly
before 2.2.

Again, I'm certainly no apache-pro but I think something is wrong here
and since this is already in testing we should make sure to fix it
before it gets stable.



Bastian Venthur                                      http://venthur.de
Debian Developer                                 venthur at debian org

Reply to: