[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: release critical bug in apache2.2?

Bastian Venthur wrote:
> On 02.11.2006 20:16 schrieb sean finney:
>> On Thu, 2006-11-02 at 19:20 +0100, Mike Hommey wrote:
>>> Auto-indexes are enabled only in /var/www/apache2-default and
>>> /usr/share/apache2/icons by default, so it is not likely to leak any
>>> unexpected file list.
>>> So no, that doesn't grant an RC bug for these reasons.
>>> On the other hand, it breaks configurations that used to work... (sites
>>> relying on this index.php setting will get 403 errors after upgrade from
>>> 2.0)
>> i imagine the apache maintainers will argue that it should be either (a)
>> the webapp package or (b) the php apache module's repsonsibility
>> to specify the additional DirectoryIndex.
>> iirc DirectoryIndex does/can append to the list of index files, right?
>> if so i'd have no problem slipping this into the php/apache module
>> configuration files if that's the agreed course of action.  but whether
>> or not this makes it to etch is an open question.
> Is it possible that adding an updated DirectoryIndex does not fix the
> whole bug? Although it fixes the problem that index.php files are not
> recognized when entering a certain directory, I noticed that accessing a
> php file directly like
> 	http://somedomain.tld/index.php
> The file does not get executed as expected, but the browser wants to
> download it (which might be a security issue).

Damn. The problem was my browser, still caching the old page. Clearing
the browserchache solved this problem.

Sorry :/

But the DirectoryIndex problem should be fixed nevertheless.



Bastian Venthur                                      http://venthur.de
Debian Developer                                 venthur at debian org

Reply to: