[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible release note for systems running PHP through CGI.

On Mon, Aug 20, 2012 at 8:12 PM, Stefan Fritsch <sf@debian.org> wrote:
> On Monday 20 August 2012, Ondřej Surý wrote:
>> Ah, I see; it gets executed when there is no know handler or
>> mime-type for second extension.
>>
>> E.g. index.php.jpeg works as expected (e.g. returning PHP source
>> code), index.php.blubb but gets executed. I don't think there's any
>> harm in disabling php.foobar and php.blubb files.
>
> There is also the case that the extensions after .php are known to
> Apache but are not associated with mime types or handlers. For
> example, there are extensions like .de and .en which cause the
> Content-Language header to be set, extensions for setting the charset
> (e.g. .utf8) and extensions for setting the content-encoding (none
> configured by default).
>
> I don't know how often this is actually used together with php.
> Setting the Content-* headers in the php script seems saner to me.

Right, I have never seen this to be used together with PHP, but it
probably deserves a note somewhere.

>> > Good to see that we are heading towards a solution anyway.
>> >
>> > What shall I do with #674089 ?  I can reassign it to php5-cgi so
>> > that your next upload closes it, or do we still need release
>> > notes ?
>>
>> I think we still might need release notes, but it needs to be
>> updated based on final impact of changes we have done. I am not
>> sure if the information about <filename>.php.<unknown-mime-type>
>> is worth release notes or just NEWS file in PHP. My guess would be
>> latter, but opinions may vary.
>
> Maybe add just a small paragraph that the configuration of the
> extensions has changed and php users should read the NEWS file?

That's probably sensible approach.  I have quickly drafted short
paragraph which can be used for release notes:

Default PHP extension configuration
-----------------------------------

The mime-types package has dropped non-standard definitions of
PHP MIME-Types as a security measure.  Default PHP configuration
for libapache2-mod-php5{filter} and php5-cgi now only serve files
which have .php, .php[345] and .phtml extensions on a most right
place as opposed to previous state where <filename>.php.foobar
would have been interpreted.  Please read NEWS file in the PHP
SAPI of your choice for further information.


---

O.
-- 
Ondřej Surý <ondrej@sury.org>
Reply to: