Re: Possible release note for systems running PHP through CGI.

To: Steven Chamberlain <steven@pyro.eu.org>
Cc: Charles Plessy <plessy@debian.org>, debian-devel@lists.debian.org, debian-release <debian-release@lists.debian.org>
Subject: Re: Possible release note for systems running PHP through CGI.
From: Wouter Verhelst <wouter@debian.org>
Date: Tue, 21 Aug 2012 11:07:17 +0200
Message-id: <[🔎] 20120821090717.GB6600@grep.be>
In-reply-to: <[🔎] 503245BE.8040201@pyro.eu.org>
References: <[🔎] 20120819021726.GC20875@falafel.plessy.net> <[🔎] 20120820070213.GB4732@grep.be> <[🔎] 50322951.30900@pyro.eu.org> <[🔎] 20120820133551.GB7373@grep.be> <[🔎] 503245BE.8040201@pyro.eu.org>

On Mon, Aug 20, 2012 at 03:12:14PM +0100, Steven Chamberlain wrote:
> On 20/08/12 14:35, Wouter Verhelst wrote:
> > On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
> >> Yes it's possible some people rely on that behaviour, e.g. serving JPEG
> >> data from PHP scripts named like foo.php.jpeg.
> 
> Sorry, I was wrong.  For extensions like .jpeg with a known MIME type it
> does not work.  So, people are unlikely to be relying on this effect.
> 
> [🔎] CALjhHG8Dd+nv2UvGJBvrtuBDnA3M+o1afo0BQYLyFPqkHujZTg@mail.gmail.com">http://lists.debian.org/[🔎] CALjhHG8Dd+nv2UvGJBvrtuBDnA3M+o1afo0BQYLyFPqkHujZTg@mail.gmail.com
> 
> 
> >> But some sites accept file uploads with arbitrary names, [...]
> > 
> > Don't Do That Then(TM).
> 
> Yes I very much agree...
> 
> > [...] write your upload scripts so that they
> > - Store uploads in a directory which is served by the webserver, but
> >   without allowing any kind of script execution (i.e., "Options
> >   -ExecCGI" and similar things for other scripting environments and/or
> >   webservers)
> 
> I believe -ExecCGI would work for php5-cgi but not for
> libapache2-mod-php5 (whose handler relies on MIME types).

I did say "and similar things for other scripting environments" for a
reason...

> To protect against that, I notice our drupal6 packages create an .htaccess
> file in the file uploads directory, with:
>
> > SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

Yes. This is exactly what I described above: make sure the uploads are
in a directory that disallows any kind of script execution.

-- 
The volume of a pizza of thickness a and radius z can be described by
the following formula:

pi zz a

Reply to:

References:
- Possible release note for systems running PHP through CGI.
  - From: Charles Plessy <plessy@debian.org>
- Re: Possible release note for systems running PHP through CGI.
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Possible release note for systems running PHP through CGI.
  - From: Steven Chamberlain <steven@pyro.eu.org>
- Re: Possible release note for systems running PHP through CGI.
  - From: Wouter Verhelst <w@uter.be>
- Re: Possible release note for systems running PHP through CGI.
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Re: Bug#684396: ITP: openrc -- alternative boot mechanism that manages the services, startup and shutdown of a host
Next by Date: Re: Possible release note for systems running PHP through CGI.
Previous by thread: Re: Possible release note for systems running PHP through CGI.
Next by thread: Re: Possible release note for systems running PHP through CGI.
Index(es):
- Date
- Thread