[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

Hi all,

[multiple messages from d-d and d-r merged together]

> I am also concerned that a *simple* solution to restore the old
> behaviour in a secure way is not provided: maybe php5-cgi should install
> a sensible default configuration in /etc/apache2/conf.d/ ?

I have prepared new update for PHP based on comments from d-d. The
commit is here:


To sum the changes:

- create dummy php5_cgi module, which has the required configuration inside
- enable this module if upgrading from anything older than 5.4.4-5
- the module is not enabled on fresh installs (user has to enable it manually)
- update NEWS.Debian to:

php5 (5.4.4-5) unstable; urgency=low

 Please be aware that the mime-types package dropped non-standard
 definitions for PHP that might affect any systems using PHP 5 running
 as CGI or FastCGI.  Following definitions were dropped:

  application/x-httpd-php                        phtml pht php
  application/x-httpd-php-source                 phps
  application/x-httpd-php3                       php3
  application/x-httpd-php3-preprocessed          php3p
  application/x-httpd-php4                       php4
  application/x-httpd-php5                       php5

 The php5-cgi package mitigates any known issues by creating a (dummy)
 apache2 module php5_cgi with a configuration containing handlers for
 all previously defined extensions.  Even though we believe that this
 configuration should keep your PHP scripts interpreted, it might be a
 good idea to check your apache2 site-wide configuration and also any
 specific PHP configuration for websites running on your system.

 As far as we know definitions from the mime-types packages are not
 used in any other webserver included in Debian, but it might affect
 any application which relies on system MIME types to interpret PHP

 -- Ondřej Surý <ondrej@debian.org>  Wed, 15 Aug 2012 10:31:31 +0200

- Update the README.Debian to match current state.

I will upload this change as part of 5.4.6-1 upload to Debian experimental
and if everything is ok, I'll merge it back to 5.4.4-5 targeted to

> As far as the mime-support package is concerned, I think that we reached the
> consensus that we will not add the entries back, and that the consequences will
> be documented in the php5-cgi package's NEWS file and in the release notes.

I agree on that, even though I think that PHP should have it's own
mimetype definition (same as python or perl, e.g. application/x-php,
but let's keep this discussion out of this issue, since it's something

> I guess we could consider that for a very specific, low-popcon package.
> But knowingly interrupting upgrades for a well-known problem, on a very
> high number of systems? I'm not sure that's appropriate. Quite the
> opposite, actually.

I believe that update that I just did should solve any backwards
compatibility issues. (Crossed fingers... have to do thourough testing
first, I tend to make mistakes from time to time.)

> Many of the users of php5-cgi will be doing so because they are using other
> web servers. The discussion in #674089 seems to mainly revolve around
> Apache. How does this affect other web servers?

I am not aware of any other (Debian shipped) web server which uses
system-wide mime-types.  At least both nginx and lighttpd don't depend
on system mime types for interpreting PHP files (both use extension
based definitions).

>  - In Squeeze, using default configurations, files with ".php" in their name
>    such as "foo.php.jpeg" are executed as PHP scripts by the Apache web servers
>    runing PHP scripts through php5-cgi.

Charles, did you test that or you base that claim on Christoph's
mails?  I have just tested both php5-cgi in standard configuration as
recommended in README.Debian and this claim doesn't seem to be true:

$ wget -q -O - http://localhost:8080/index.php
$ wget -q -O - http://localhost:8080/index.php.jpeg
<?php echo 'foo'; ?>

Also Apache2 documentation is very clear on that issue:
See http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

> If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html.

However there could be a problem when you use MIME-type and handler
together (which we *don't* use):

> Care should be taken when a file with multiple extensions gets associated with both a MIME-type and a handler. This will usually result in the request being handled by the module associated with the handler.

> Maybe that's because it's expected they would be PHP scripts emitting
> JPEG files, not plain JPEG files? This seems like a feature to me, not a
> bug. Why was support for that removed?

My testing shows that the support for this was NEVER there in the
first place; neither in php5-cgi nor in libapache2-mod-php5. (Unless
you have jumped through some loops and used custom configuration not
recommended by upstream - in that case you will also probably have a
configuration which overrides our configuration anyway.)

P.S.: Ccing me or pkg-php-maint increases the change I will see the
message and reply to you.
Ondřej Surý <ondrej@sury.org>

Reply to: