[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

Hi Ondřej.

On Mon, 2012-08-20 at 14:57 +0200, Ondřej Surý wrote:
> http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a
- You mention in the README.Debian now, that no other webserver likely used /etc/mime.types.
Wasn't there someone who meant lighthttp was also using it?

- I like the changes to the wording of the "PHP 5 CGI and Apache HTTP
Server" section.

- Where you write: "add the mentioned configuration block to one or more
virtual sites." ... you may even refine that to "add the mentioned
configuration block to one or more virtual hosts or directories."

- Where you write: "It's advised to not mix&match mod_php and php5-cgi
in the same" is that intended, that php5-fpm is missing?

To the rules:
- They seem ok for a security point of view.
- When using FilesMatch, one can slightly optimise the subpatterns, by
placing "?:" after the "(", e.g.
- At the places where you Deny, one might perhaps add "Satisfy All"
again. It's "All" per default, but if one has set that to Any in main
server context, your deny-intention might geht ineffective again.

> I agree on that, even though I think that PHP should have it's own
> mimetype definition (same as python or perl, e.g. application/x-php,
> but let's keep this discussion out of this issue, since it's something
> different).
+1 on that.

> I am not aware of any other (Debian shipped) web server which uses
> system-wide mime-types.  At least both nginx and lighttpd don't depend
> on system mime types for interpreting PHP files (both use extension
> based definitions).
Ah ok,... so ignore my question from above... :)

> > If more than one extension is given that maps onto the same type of
> meta-information, then the one to the right will be used, except for
> languages and content encodings. For example, if .gif maps to the
> MIME-type image/gif and .html maps to the MIME-type text/html, then
> the file welcome.gif.html will be associated with the MIME-type
> text/html.
Right, ....the others already pointed out in the meantime, what can
still happen.
I guess we should be largely safe of all this now.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: