Re: Request for review of NEWS and README.Debian in PHP
Ondřej Surý wrote:
> 1. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/php5-cgi.NEWS;hb=HEAD
(Silently fixing articles throughout, but ignoring stylistic issues
like single quotes and spaces after stops):
> * As a security measure the default configuration for Apache 2 has been
> changed to more strict model. Only files which has the correct
stricter have
> extension at the most right place and has a filename (e.g. at least
> one character before the extension) are now interpreted by PHP. For a
Rephrasing:
[...] Only files which have the correct
rightmost extension, and at least one character in the filename before
that extension, are now interpreted by PHP. [...]
> full list of handled extensions please see Apache 2 configuration. At
> the time of writing this paragraph this includes following regular
> expressions:
(Extra comma)
[...]
> Previously the default configuration would allow to interpret files
Objectless "allow" isn't allowed.
> with double extension where the second extension would be either
> unknown or language or content encoding. E.g. uploaded file named
s/unknown/unrecognised/
> blackhat.php.foobar or index.php.cs would be interpreted by PHP as a
> side effect of system MIME-Type definitions. These non-standard
~ ~ ~ ~ ~ ~
Surely this "side effect" is part of the whole "previously" thing, not
just something that belongs in the example?
[...]
> The standard configuration now also denies access to files which only
> consist of extension and nothing more, e.g. accessing '/.php' would
> now return Access Denied instead of output of PHP script.
[...]
It's the filenames that consist of "extension and nothing more", not
the files. (And of course this whole notion of UNIX filenames having
"extensions" is a creeping MS-DOSism, but this isn't the place to moan
about that.)
[...]
> 2. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/NEWS;hb=HEAD
[...]
Not much work here:
> Please be aware that the mime-types package dropped non-standard
^has
and an s/and also/as well as/ later on.
> 3. http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=blob;f=debian/php5-common.README.Debian;hb=HEAD
I did a few minor tweaks to other parts of this file, such as
s/eg./e.g./, s/php/PHP/, s/sapi/SAPI/. Here the standard appears to
be single-spaced sentences...
> In simple cases, what you probably want isn't php5-cgi package at
> all, but rather the libapache2-mod-php5 package, which will
> configure itself on installation and Just Work(tm). If, however, you
However, if\n you
[...]
> More recent way of doing this is to install php5-fpm package and use
I would suggest:
The current recommended approach is to install the php5-fpm package
and use
> FastCGI to interface of your webserver. However you will have to
to
> use libapache2-mod-fastcgi package (from non-free) or different
> FastCGI capable webserver (f.e. nginx or lighttpd) since
^^^^
No such abbreviation; just use English "such as".
> libapache2-mod-fcgid available from main archive has no way how to
> interact with external FastCGI servers.
[...] has no way of interacting [...]
[...]
> You should also be aware, that a server deployed in CGI mode is open
X
> to several possible vulnerabilities, see upstream CGI security page
. See
> to learn ow to defend yourself from such attacks:
how
> http://www.php.net/manual/en/security.cgi-bin.php
[...]
> 4) It's advised to not mix&match multiple SAPIs (f.e. php5-cgi and
mix-and-match such as
> libapache2-mod-php5) in the same apache2 configuration as it is
> likely to create unpredictable results.
>
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
php5 (5.4.4-5) unstable; urgency=low
* As a security measure the default configuration for Apache 2 has been
changed to a stricter model. Only files which have the correct
rightmost extension, and at least one character in the filename before
that extension, are now interpreted by PHP. For a full list of
handled extensions please see the Apache 2 configuration. At the time
of writing this paragraph, the list includes the following regular
expressions:
1. .+\.ph(p[345]?|t|tml)$ for PHP files (application/x-httpd-php)
2. .+\.phps$ for PHP source files (application/x-httpd-php-source)
Previously, as a side effect of system MIME type definitions, the
default configuration would allow the interpreting of files with a
double extension, where the second extension was either unrecognised
or a language or content encoding to be interpreted; e.g. an uploaded
file named blackhat.php.foobar or index.php.cs would be interpreted by
PHP. These non-standard definitions have been removed from the
mime-types packages and all configuration of PHP handlers is now
defined in the Apache 2 configuration files.
The standard configuration now also denies access to files with names
which consist of an extension and nothing more; e.g. accessing '/.php'
will now return Access Denied instead of the output of the PHP script.
You can use the following command to find whether there are any files
on your system which would be affected by this change (change <base>
to the directory name where you store PHP files on your system):
# find <base> -name '*.ph[pt].*' -o -name '*.php[345s].*' -o \
-name '*.phtml.*' -o -name '.ph[pt]' -o \
-name '.php[345s]' -o -name '.phtml'
-- Ondřej Surý <ondrej@debian.org> Tue, 21 Aug 2012 09:14:47 +0200
php5 (5.4.0~rc8-1) unstable; urgency=low
php5-fpm default www spool now listens on unix socket located
in /var/run/php5-fpm.sock instead of localhost:9000. If you
have configured your webserver to use localhost:9000, you will
have to change your settings.
-- Ondřej Surý <ondrej@debian.org> Wed, 08 Feb 2012 08:25:30 +0100
php5 (5.4.0~rc6-2) unstable; urgency=low
t1lib support was removed from PHP 5.4. t1lib has many security
issues and is unmaintained by upstream for a very long time (3 years).
For more information see:
+ http://bugs.debian.org/637488
+ http://bugs.debian.org/638755
This unfortunately also means that following functions are not
available in PHP5 from now:
- imagepsloadfont
- imagepsfreefont
- imagepsencodefont
- imagepsextendfont
- imagepsslantfont
- imagepstext
- imagepsbbox
If you really need those functions you will need to install t1lib from
sources. You will need to install php5-dev and recompile GD extension
(roughly) using following commands:
cd <path_to_php5_sources>/ext/gd/
phpize
configure --with-gd=shared,/usr --enable-gd-native-ttf \
--with-t1lib=<location_of_your_t1lib>
make
make install
-- Ondřej Surý <ondrej@debian.org> Wed, 01 Feb 2012 18:19:45 +0100
php5 (5.3.9-4) unstable; urgency=low
* The Suhosin patch is now disabled in the default build.
If you want to re-enable it again for your installation, you can
set the option PHP5_SUHOSIN=yes in debian/rules and recompile PHP.
-- Ondřej Surý <ondrej@debian.org> Sat, 28 Jan 2012 08:39:36 +0100
php5 (5.3.6-13) unstable; urgency=low
* Updated blowfish crypt() algorithm fixes the 8-bit character handling
vulnerability (CVE-2011-2483) and adds more self-tests. Unfortunately
this change is incompatible with some old (wrong) generated hashes for
passwords containing 8-bit characters.
It is recommended that any passwords containing characters with
the 8th bit set be changed after this upgrade. In order to allow users
to log in after the upgrade even if they have a potentially affected
password, the newly introduced backwards compatibility hash encoding
prefix of "$2x$" may be used (in place of the usual "$2a$"). Such
password hashes should only be used during a transition period; when
passwords are changed, the usual "$2a$" prefix is used, denoting the
correct algorithm.
-- Ondřej Surý <ondrej@debian.org> Mon, 04 Jul 2011 10:31:16 +0200
php5 (5.3.1-3) unstable; urgency=low
* mod_php disabled in userdirs.
The default Debian libapache2-mod-php5 package now disables the PHP
engine on ~/public_html directories when mod_userdir is enabled, for
security reasons. Although discouraged, it can be re-enabled by
commenting the <IfModule mod_userdir.c> block in
/etc/apache2/mods-available/php5.conf
* PHP 5.2 compatibility settings
Given the short time to the Squeeze release freeze, the
short_open_tag setting has been turned On again (upstream now
defaults to Off on the php.ini files.) However, the request_order and
auto_globals_jit settings continue to be the default from upstream
("GP" and On, respectively.)
-- Raphael Geissert <geissert@debian.org> Mon, 11 Jan 2010 16:49:28 -0600
php5 (5.2.11.dfsg.1-2) unstable; urgency=high
* Maximum number of file uploads per request limited
To prevent Denial of Service attacks by exhausting the number of
available temporary file names, upstream introduced the max_file_uploads
option in 5.3.1 and 5.2.12.
Due to the nature of this new option a default limit has been set
to 50, hoping it is sensible enough to not to cause disruptions on
existing services.
The value of this new limit can be changed in the php.ini file.
If you installed the php5-suhosin extension there was a limiting
mechanism in place already. In this case you may want to make sure
the new limit imposed by PHP itself is not smaller than suhosin's.
-- Raphael Geissert <geissert@debian.org> Sat, 21 Nov 2009 13:37:51 -0600
php5 (5.2.6-1) unstable; urgency=medium
* Now uses system timezone database.
Debian PHP now makes use of the system wide timezone database from the
tzdata package, making sure any updates there are automatically used
by PHP aswell. Note that this requires that the PHP process has access
to /etc/localtime and /usr/share/zoneinfo (this is usually the case).
* New php5-dbg package.
We are now shipping a php5-dgb package which will greatly aid in finding
the cause of many crashes that you may experience. So if you are going to
report a bug for a reproducible crash, please install this package before
sending a backtrace.
* New libapache2-mod-php5filter package.
We are now also shipping a new libapache2-mod-php5filter package which
uses the "Apache 2.0 filter-module support via DSO through APXS".
-- Thijs Kinkhorst <thijs@debian.org> Wed, 23 Jul 2008 17:42:06 +0200
php5 (5.2.3-2) unstable; urgency=low
The Suhosin patch is now enabled by default!
For more information, see
<http://www.hardened-php.net/suhosin/index.html>.
Special thanks to Blars Blarson for providing a sparc machine for testing
that the patch seems to work okay on that architecture. If you experience
otherwise let us know!
Suggestions are welcome for default configuration options, examples,
documentation, etc.
In any event please report successes and/or failures to us at
pkg-php-maint@lists.alioth.debian.org.
-- sean finney <seanius@debian.org> Thu, 12 Jul 2007 23:38:43 +0200
php5 (5.4.4-5) unstable; urgency=low
Please be aware that the mime-types package has dropped non-standard
definitions for PHP that might affect any systems using PHP 5 running
as CGI or FastCGI. The following definitions were dropped:
application/x-httpd-php phtml pht php
application/x-httpd-php-source phps
application/x-httpd-php3 php3
application/x-httpd-php3-preprocessed php3p
application/x-httpd-php4 php4
application/x-httpd-php5 php5
The php5-cgi package mitigates any known issues by creating a (dummy)
apache2 module php5_cgi with a configuration containing handlers for
all previously defined extensions. Even though we believe that this
configuration should keep your PHP scripts interpreted, it might be a
good idea to check your apache2 site-wide configuration as well as
any specific PHP configuration for websites running on your system.
As far as we know definitions from the mime-types packages are not
used in any other webserver included in Debian, but it might affect
any application which relies on system MIME types to interpret PHP
files.
-- Ondřej Surý <ondrej@debian.org> Wed, 15 Aug 2012 10:31:31 +0200
Table of Contents:
----------------------------------------------------------------------
* Using PHP 5 with threaded webservers (e.g. apache2-mpm-worker)
* Problems starting Apache HTTP Server with PHP 5
* Session storage
* Other caveats
* PHP 5 CGI and Apache HTTP Server
* Configuration layout
* Timezone data from system timezone database
* Further documentation, errata, etc
Using PHP 5 with threaded webservers (e.g. apache2-mpm-worker)
----------------------------------------------------------------------
After much back-and-forth with upstream (and even building our
packages thread-safe for a while), we're currently admitting defeat
on that front, and are NOT building any thread-safe versions of PHP
5 for any webservers. Our recommendation is that, if you need to use
a threaded webserver, you should use php5-fpm and interface to your
webserver with FastCGI.
Problems starting Apache HTTP Server with PHP 5
----------------------------------------------------------------------
At the time of writing, there are no *known* incompatibilities
between any of the PHP 5 modules we ship. However, there have been
many bug reports in the past due to dynamically-loaded extensions,
and it's possible there are still bugs in the released packages. If
Apache fails to start after you install PHP 5, check your list of
enabled extensions at the bottom of /etc/php5/apache2/php.ini (and
in the per-SAPI configuration directory), and try commenting out or
reordering the extensions until you find a combination that works.
For example, in the past the mhash extension was incompatible with
some other common extensions. To work around this, you could list
the mhash extension first in php.ini.
If you find an extension-related bug in the Debian packages, and you
are willing to help debug the problem, please send us a bug report
that lists all enabled PHP 5 extensions (extension=), in the order
in which they appear in php.ini, as well as all enabled Apache
modules (LoadModule), with version numbers where possible.
Session storage
----------------------------------------------------------------------
Session files are stored in /var/lib/php5. For security purposes,
this directory is unreadable to non-root users. This means that PHP
5 running from Apache HTTP Server, for example, will not be able to
clean up stale session files. Instead, we have a cron job run every
30 minutes that cleans up stale session files; /etc/cron.d/php5. You
may need to modify how often this runs, if you've modified
session.gc_maxlifetime in your php.ini; otherwise, it may be too lax
or overly aggressive in cleaning out stale session files.
Other caveats
----------------------------------------------------------------------
Configuration directives extension_dir and include_path should be
commented out, unless you need special settings for them so PHP will
look in compiled-in paths. If you set them, you should also add
appropriate PHP install directories there.
PHP 5 CGI and Apache HTTP Server
----------------------------------------------------------------------
In simple cases, what you probably want isn't the php5-cgi package
at all, but rather the libapache2-mod-php5 package, which will
configure itself on installation and Just Work(tm). However, if you
have a need to use the CGI version of PHP 5 with Apache HTTP Server,
the following should help get you going, though there are dozens of
different ways to do this.
The current recommended approach is to install the php5-fpm package
and use FastCGI to interface to your webserver. However, you will
have to use the libapache2-mod-fastcgi package (from non-free) or a
different FastCGI-capable webserver (such as nginx or lighttpd),
since the libapache2-mod-fcgid available from the main archive has
no way of interacting with external FastCGI servers.
Please note that this process will never be made automatic, as
php5-cgi is meant to be a webserver-agnostic package that can be
used with any httpd, and we don't want it to conflict with the
httpd-specific packages such as libapache2-mod-php5. If both were
installed side-by-side and both were automatically enabled, the
results would be a bit confusing, obviously.
You should also be aware that a server deployed in CGI mode is open
to several possible vulnerabilities. See the upstream CGI security
page to learn how to defend yourself from such attacks:
http://www.php.net/manual/en/security.cgi-bin.php
To use php5-cgi with Apache HTTP Server:
1) activate php5_cgi module: run 'a2enmod php5_cgi'
2) this will also activate the mod_actions module as a dependency
3) comment out the last block of configuration in the
/etc/apache2/mods-enabled/php5_cgi.conf file to enable
server-wide PHP 5 CGI or add the mentioned configuration block to
one or more virtual hosts or directories.
4) It's advised to not mix-and-match multiple SAPIs (such as
php5-cgi along with libapache2-mod-php5) in the same apache2
configuration as it is likely to create unpredictable results.
Configuration Layout
----------------------------------------------------------------------
Each SAPI (apache2/apache2filter/cgi/cli/fpm) has a different
central configuration file /etc/php5/$SAPI/php.ini.
Additionally, each SAPI is configured with the compile-time option
--with-config-file-scan-dir=/etc/php5/$SAPI/conf.d
which for all SAPIs is actually a symlink pointing to a central
directory /etc/php5/conf.d. Any file found in this directory ending
in .ini will be treated as a configuration file by the PHP SAPI.
The rationale behind this method is that each SAPI can thus be
identically configured with a minimal amount of conffile handling,
but at the same time if you want to have SAPI-specific
configuration, you can just remove the symlink.
Note that the usage of the PHP_INI_SCAN_DIR environment variable
overrides what is set with --with-config-file-scan-dir and thus the
directory /etc/php5/$SAPI/conf.d will no longer be included.
Timezone data from system timezone database
----------------------------------------------------------------------
Debian PHP has been patched to use the system wide timezone database
from the tzdata package, making sure any updates there are
automatically used by PHP as well.
Note that this requires that the PHP process has access to
/etc/localtime and /usr/share/zoneinfo. For any regular installation
this should be the case, but in specific secured environments when
reading the timezone database is impossible PHP will give a
"Timezone database is corrupt - this should *never* happen!" error.
Further documentation, errata, misc.
----------------------------------------------------------------------
Errata and other general information about PHP in Debian can be
found in the debian wiki at:
http://wiki.debian.org/PHP
If after reading the documentation in this file you still have
unanswered questions, that's a good next place to go.
-- Ondřej Surý <ondrej@debian.org>, Tue, 21 Aug 2012 09:12:53 +0200
diff -ru old/NEWS new/NEWS
--- old/NEWS 2012-08-21 08:47:19.648953844 +0100
+++ new/NEWS 2012-08-21 09:04:26.852411396 +0100
@@ -1,32 +1,32 @@
php5 (5.4.4-5) unstable; urgency=low
* As a security measure the default configuration for Apache 2 has been
- changed to more strict model. Only files which has the correct
- extension at the most right place and has a filename (e.g. at least
- one character before the extension) are now interpreted by PHP. For a
- full list of handled extensions please see Apache 2 configuration. At
- the time of writing this paragraph this includes following regular
+ changed to a stricter model. Only files which have the correct
+ rightmost extension, and at least one character in the filename before
+ that extension, are now interpreted by PHP. For a full list of
+ handled extensions please see the Apache 2 configuration. At the time
+ of writing this paragraph, the list includes the following regular
expressions:
1. .+\.ph(p[345]?|t|tml)$ for PHP files (application/x-httpd-php)
2. .+\.phps$ for PHP source files (application/x-httpd-php-source)
- Previously the default configuration would allow to interpret files
- with double extension where the second extension would be either
- unknown or language or content encoding. E.g. uploaded file named
- blackhat.php.foobar or index.php.cs would be interpreted by PHP as a
- side effect of system MIME-Type definitions. These non-standard
- definitions have been removed from the mime-types packages and all
- configuration of PHP handlers is now defined in Apache 2 configuration
- files.
+ Previously, as a side effect of system MIME type definitions, the
+ default configuration would allow the interpreting of files with a
+ double extension, where the second extension was either unrecognised
+ or a language or content encoding to be interpreted; e.g. an uploaded
+ file named blackhat.php.foobar or index.php.cs would be interpreted by
+ PHP. These non-standard definitions have been removed from the
+ mime-types packages and all configuration of PHP handlers is now
+ defined in the Apache 2 configuration files.
- The standard configuration now also denies access to files which only
- consist of extension and nothing more, e.g. accessing '/.php' would
- now return Access Denied instead of output of PHP script.
+ The standard configuration now also denies access to files with names
+ which consist of an extension and nothing more; e.g. accessing '/.php'
+ will now return Access Denied instead of the output of the PHP script.
- You can use following command to find whether there are any files on
- your system which would be affected by this change (change <base> to
- directory name where you store PHP files on your system):
+ You can use the following command to find whether there are any files
+ on your system which would be affected by this change (change <base>
+ to the directory name where you store PHP files on your system):
# find <base> -name '*.ph[pt].*' -o -name '*.php[345s].*' -o \
-name '*.phtml.*' -o -name '.ph[pt]' -o \
diff -ru old/php5-cgi.NEWS new/php5-cgi.NEWS
--- old/php5-cgi.NEWS 2012-08-21 08:46:58.860411183 +0100
+++ new/php5-cgi.NEWS 2012-08-21 09:04:06.804747211 +0100
@@ -1,8 +1,8 @@
php5 (5.4.4-5) unstable; urgency=low
- Please be aware that the mime-types package dropped non-standard
+ Please be aware that the mime-types package has dropped non-standard
definitions for PHP that might affect any systems using PHP 5 running
- as CGI or FastCGI. Following definitions were dropped:
+ as CGI or FastCGI. The following definitions were dropped:
application/x-httpd-php phtml pht php
application/x-httpd-php-source phps
@@ -15,8 +15,8 @@
apache2 module php5_cgi with a configuration containing handlers for
all previously defined extensions. Even though we believe that this
configuration should keep your PHP scripts interpreted, it might be a
- good idea to check your apache2 site-wide configuration and also any
- specific PHP configuration for websites running on your system.
+ good idea to check your apache2 site-wide configuration as well as
+ any specific PHP configuration for websites running on your system.
As far as we know definitions from the mime-types packages are not
used in any other webserver included in Debian, but it might affect
diff -ru old/php5-common.README.Debian new/php5-common.README.Debian
--- old/php5-common.README.Debian 2012-08-21 08:47:36.928744532 +0100
+++ new/php5-common.README.Debian 2012-08-21 09:37:51.112411167 +0100
@@ -1,6 +1,6 @@
Table of Contents:
----------------------------------------------------------------------
-* Using PHP 5 with threaded webservers (eg. apache2-mpm-worker)
+* Using PHP 5 with threaded webservers (e.g. apache2-mpm-worker)
* Problems starting Apache HTTP Server with PHP 5
* Session storage
* Other caveats
@@ -9,14 +9,14 @@
* Timezone data from system timezone database
* Further documentation, errata, etc
-Using PHP 5 with threaded webservers (eg. apache2-mpm-worker)
+Using PHP 5 with threaded webservers (e.g. apache2-mpm-worker)
----------------------------------------------------------------------
After much back-and-forth with upstream (and even building our
packages thread-safe for a while), we're currently admitting defeat
- on that front, and are NOT building any thread-safe versions of PHP 5
- for any webservers. Our recommendation is that, if you need to use a
- threaded webserver, you should use php5-fpm and interface your
+ on that front, and are NOT building any thread-safe versions of PHP
+ 5 for any webservers. Our recommendation is that, if you need to use
+ a threaded webserver, you should use php5-fpm and interface to your
webserver with FastCGI.
Problems starting Apache HTTP Server with PHP 5
@@ -28,7 +28,7 @@
and it's possible there are still bugs in the released packages. If
Apache fails to start after you install PHP 5, check your list of
enabled extensions at the bottom of /etc/php5/apache2/php.ini (and
- in the per-sapi configuration directory), and try commenting out or
+ in the per-SAPI configuration directory), and try commenting out or
reordering the extensions until you find a combination that works.
For example, in the past the mhash extension was incompatible with
@@ -38,17 +38,17 @@
If you find an extension-related bug in the Debian packages, and you
are willing to help debug the problem, please send us a bug report
that lists all enabled PHP 5 extensions (extension=), in the order
- in which they appear in php.ini, as well as all enabled Apache modules
- (LoadModule), with version numbers where possible.
+ in which they appear in php.ini, as well as all enabled Apache
+ modules (LoadModule), with version numbers where possible.
Session storage
----------------------------------------------------------------------
Session files are stored in /var/lib/php5. For security purposes,
- this directory is unreadable by non-root users. This means that PHP
+ this directory is unreadable to non-root users. This means that PHP
5 running from Apache HTTP Server, for example, will not be able to
clean up stale session files. Instead, we have a cron job run every
- 30 mins that cleans up stale session files; /etc/cron.d/php5. You
+ 30 minutes that cleans up stale session files; /etc/cron.d/php5. You
may need to modify how often this runs, if you've modified
session.gc_maxlifetime in your php.ini; otherwise, it may be too lax
or overly aggressive in cleaning out stale session files.
@@ -57,26 +57,26 @@
----------------------------------------------------------------------
Configuration directives extension_dir and include_path should be
- commented out, unless you need special settings for them so php will
+ commented out, unless you need special settings for them so PHP will
look in compiled-in paths. If you set them, you should also add
- appropriate php install directories there.
+ appropriate PHP install directories there.
PHP 5 CGI and Apache HTTP Server
----------------------------------------------------------------------
- In simple cases, what you probably want isn't php5-cgi package at
- all, but rather the libapache2-mod-php5 package, which will
- configure itself on installation and Just Work(tm). If, however, you
+ In simple cases, what you probably want isn't the php5-cgi package
+ at all, but rather the libapache2-mod-php5 package, which will
+ configure itself on installation and Just Work(tm). However, if you
have a need to use the CGI version of PHP 5 with Apache HTTP Server,
the following should help get you going, though there are dozens of
different ways to do this.
- More recent way of doing this is to install php5-fpm package and use
- FastCGI to interface of your webserver. However you will have to
- use libapache2-mod-fastcgi package (from non-free) or different
- FastCGI capable webserver (f.e. nginx or lighttpd) since
- libapache2-mod-fcgid available from main archive has no way how to
- interact with external FastCGI servers.
+ The current recommended approach is to install the php5-fpm package
+ and use FastCGI to interface to your webserver. However, you will
+ have to use the libapache2-mod-fastcgi package (from non-free) or a
+ different FastCGI-capable webserver (such as nginx or lighttpd),
+ since the libapache2-mod-fcgid available from the main archive has
+ no way of interacting with external FastCGI servers.
Please note that this process will never be made automatic, as
php5-cgi is meant to be a webserver-agnostic package that can be
@@ -85,26 +85,26 @@
installed side-by-side and both were automatically enabled, the
results would be a bit confusing, obviously.
- You should also be aware, that a server deployed in CGI mode is open
- to several possible vulnerabilities, see upstream CGI security page
- to learn ow to defend yourself from such attacks:
+ You should also be aware that a server deployed in CGI mode is open
+ to several possible vulnerabilities. See the upstream CGI security
+ page to learn how to defend yourself from such attacks:
http://www.php.net/manual/en/security.cgi-bin.php
To use php5-cgi with Apache HTTP Server:
1) activate php5_cgi module: run 'a2enmod php5_cgi'
- 2) this will also activate mod_actions module as a dependency
- 3) comment out last block of configuration in the
+ 2) this will also activate the mod_actions module as a dependency
+ 3) comment out the last block of configuration in the
/etc/apache2/mods-enabled/php5_cgi.conf file to enable
server-wide PHP 5 CGI or add the mentioned configuration block to
one or more virtual hosts or directories.
- 4) It's advised to not mix&match multiple SAPIs (f.e. php5-cgi and
- libapache2-mod-php5) in the same apache2 configuration as it is
- likely to create unpredictable results.
+ 4) It's advised to not mix-and-match multiple SAPIs (such as
+ php5-cgi along with libapache2-mod-php5) in the same apache2
+ configuration as it is likely to create unpredictable results.
Configuration Layout
----------------------------------------------------------------------
- Each SAPI (apache2/apache2filter/cgi/cli/fpm) have a different
+ Each SAPI (apache2/apache2filter/cgi/cli/fpm) has a different
central configuration file /etc/php5/$SAPI/php.ini.
Additionally, each SAPI is configured with the compile-time option
@@ -113,9 +113,9 @@
which for all SAPIs is actually a symlink pointing to a central
directory /etc/php5/conf.d. Any file found in this directory ending
- in .ini will be treated as a configuration file by the php SAPI.
+ in .ini will be treated as a configuration file by the PHP SAPI.
- The rationale with this method is that each SAPI can thus be
+ The rationale behind this method is that each SAPI can thus be
identically configured with a minimal amount of conffile handling,
but at the same time if you want to have SAPI-specific
configuration, you can just remove the symlink.
@@ -127,9 +127,9 @@
Timezone data from system timezone database
----------------------------------------------------------------------
- Debian PHP has been patched to use of the system wide timezone
- database from the tzdata package, making sure any updates there are
- automatically used by PHP aswell.
+ Debian PHP has been patched to use the system wide timezone database
+ from the tzdata package, making sure any updates there are
+ automatically used by PHP as well.
Note that this requires that the PHP process has access to
/etc/localtime and /usr/share/zoneinfo. For any regular installation
Reply to: