[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

On Aug 19, Charles Plessy <plessy@debian.org> wrote:

>  - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
>    php5-cgi.  Debian recommends libapache2-mod-php5, but there are still
This is another issue which concerns me, since mod_php forces the use of 
preforking apache, which means that the server will either stop serving 
pages or OOM at the first hint of real traffic.
(And obviously mod_php is wildly insecure for multitenants servers.)

>    thousands of installations wich report the use of php5-cgi according to the
>    Popularity Contest statistics.
Yes, because sensible people who need PHP will try to use it as 
CGI/FastCGI (or FPM, finally in wheezy).

>  - This breaks the websites executing PHP scripts through php5-cgi, and
>    a solution is being be documented in the php5 package's NEWS file.
>    http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commitdiff;h=f7a6351c620075a9d2a551fbed38ea26919f0d94
I think that this entry is too mild/vague:
- "including but possibly not limited to the Apache HTTPD Server": such 
  a major issue justifies being specific about the affected packages
- too many "may"s, while the entry should clearly state, maybe in caps, 
  something like "this will almost certainly break your server if you 
  use PHP as CGI/FastCGI, and also leak your source code and passwords"

> This will interrupt upgrade of servers using php5-cgi, but to avoid surprises,
> the rough consensus in #674089 is also to document the same information in the
> release notes.
I agree with the interrupting upgrades for such a major package is going 
to be annoying.
I am also concerned that a *simple* solution to restore the old 
behaviour in a secure way is not provided: maybe php5-cgi should install 
a sensible default configuration in /etc/apache2/conf.d/ ?


Attachment: signature.asc
Description: Digital signature

Reply to: