[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

On Mon, Aug 20, 2012 at 3:35 PM, Charles Plessy <plessy@debian.org> wrote:
>> Charles, did you test that or you base that claim on Christoph's
>> mails?  I have just tested both php5-cgi in standard configuration as
>> recommended in README.Debian and this claim doesn't seem to be true:
>> $ wget -q -O - http://localhost:8080/index.php
>> bar
>> $ wget -q -O - http://localhost:8080/index.php.jpeg
>> <?php echo 'foo'; ?>
> I did not test, and was trusting from http://bugs.debian.org/589384, which
> requested the removal of the PHP media types for Wheezy, that the problem was
> still present in some configurations.

Ah, I see; it gets executed when there is no know handler or mime-type
for second extension.

E.g. index.php.jpeg works as expected (e.g. returning PHP source
code), index.php.blubb but gets executed. I don't think there's any
harm in disabling php.foobar and php.blubb files.

> Good to see that we are heading towards a solution anyway.
> What shall I do with #674089 ?  I can reassign it to php5-cgi so that your next
> upload closes it, or do we still need release notes ?

I think we still might need release notes, but it needs to be updated
based on final impact of changes we have done. I am not sure if the
information about <filename>.php.<unknown-mime-type> is worth release
notes or just NEWS file in PHP. My guess would be latter, but opinions
may vary.

Also I am not happy that we make these changes so late in release
cycle, but I guess we now have to find a way how to cope with them and
still make release team happy. I think the changes I have done are
least intrusive, but again opinions may vary.

Ondřej Surý <ondrej@sury.org>

Reply to: