Re: Review of php5-cgi NEWS file

To: debian-l10n-english@lists.debian.org
Cc: Ondřej Surý <ondrej@sury.org>
Subject: Re: Review of php5-cgi NEWS file
From: Justin B Rye <jbr@edlug.org.uk>
Date: Fri, 26 Oct 2012 12:36:04 +0100
Message-id: <[🔎] 20121026113604.GA21037@xibalba.demon.co.uk>
Mail-followup-to: debian-l10n-english@lists.debian.org, Ondřej Surý <ondrej@sury.org>
In-reply-to: <[🔎] CALjhHG9+SoJVnM0fCMwG3xnm4C3=FqAXk6rtEaBcg1ttXM_ENQ@mail.gmail.com>
References: <[🔎] CALjhHG9+SoJVnM0fCMwG3xnm4C3=FqAXk6rtEaBcg1ttXM_ENQ@mail.gmail.com>

Ondřej Surý wrote:
> could you please check the new paragraph I have just added to php5-cgi
> NEWS file?  It should warn the people to check the PHP (mainly
> FastCGI) configuration as described in #687307.

That is:

| php5 (5.4.4-5) unstable; urgency=low
| 
|  Please be aware that the mime-support package has dropped non-standard
|  definitions for PHP that might affect any systems using PHP 5 running
|  as CGI or FastCGI.  The following definitions were dropped:

This says that the mime-definitions might affect particular systems,
when what it ought to say is that the *change* might affect them, so
while I'm here I'll give it a minimal fix of s/ that/, which/

|  
|   application/x-httpd-php                        phtml pht php
|   application/x-httpd-php-source                 phps
|   application/x-httpd-php3                       php3
|   application/x-httpd-php3-preprocessed          php3p
|   application/x-httpd-php4                       php4
|   application/x-httpd-php5                       php5
| 
|  The php5-cgi package mitigates any known issues by creating a (dummy)
|  apache2 module php5_cgi with a configuration containing handlers for
|  all previously defined extensions.  Even though we believe that this
|  configuration should keep your PHP scripts interpreted, it might be a
|  good idea to check your apache2 site-wide configuration as well as
|  any specific PHP configuration for websites running on your system.

I would suggest s/interpreted/working/, unless it really does mean
that there's a risk it'll cause your PHP scripts to become compiled
binaries instead.

|  The new (dummy) php5_cgi configuration uses SetHandler directive and
|  thus it might interfere with your existing custom configuration like
|  FastCGI (mod_fcgid or mod_fastcgi).  In that case please disable
|  php5_cgi module (a2dismod php5_cgi) to reenable the existing
|  functionality of your custom configuration.  It is also advised that
|  you check your custom configuration whether it's not vulnerable to
|  foo.php.jpeg attacks.  The php5_cgi configuration snippet can be used
|  as base - it's important to use FilesMatch or Files directive to
|  limit the handling to the last extension.

Yes, this has a few unidiomatic bits, though it's not hard to see
what it means:

   The new (dummy) php5_cgi configuration uses the SetHandler directive,
   which might interfere with existing custom configurations such as
   FastCGI (mod_fcgid or mod_fastcgi).  If so, you can reenable the
   existing functionality of your custom configuration by disabling the
   php5_cgi module (a2dismod php5_cgi), but you are also advised to
   check whether your custom configuration is vulnerable to foo.php.jpeg
   attacks.  The php5_cgi configuration snippet can be used as a base -
   it's important to use the FilesMatch or Files directive to limit the
   handling to the last extension.

|  As far as we know definitions from the mime-support packages are not
|  used in any other webserver included in Debian, but it might affect
|  any application which relies on system MIME types to interpret PHP
|  files.
| 
|  -- Ondřej Surý <ondrej@debian.org>  Wed, 15 Aug 2012 10:31:31 +0200

-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

php5 (5.4.4-5) unstable; urgency=low

 Please be aware that the mime-support package has dropped non-standard
 definitions for PHP, which might affect any systems using PHP 5
 running as CGI or FastCGI.  The following definitions were dropped:
 
  application/x-httpd-php                        phtml pht php
  application/x-httpd-php-source                 phps
  application/x-httpd-php3                       php3
  application/x-httpd-php3-preprocessed          php3p
  application/x-httpd-php4                       php4
  application/x-httpd-php5                       php5

 The php5-cgi package mitigates any known issues by creating a (dummy)
 apache2 module php5_cgi with a configuration containing handlers for
 all previously defined extensions.  Even though we believe that this
 configuration should keep your PHP scripts working, it might be a
 good idea to check your apache2 site-wide configuration as well as
 any specific PHP configuration for websites running on your system.

 The new (dummy) php5_cgi configuration uses the SetHandler directive,
 which might interfere with existing custom configurations such as
 FastCGI (mod_fcgid or mod_fastcgi).  If so, you can reenable the
 existing functionality of your custom configuration by disabling the
 php5_cgi module (a2dismod php5_cgi), but you are also advised to
 check whether your custom configuration is vulnerable to foo.php.jpeg
 attacks.  The php5_cgi configuration snippet can be used as a base -
 it's important to use the FilesMatch or Files directive to limit the
 handling to the last extension.

 As far as we know definitions from the mime-support packages are not
 used in any other webserver included in Debian, but it might affect
 any application which relies on system MIME types to interpret PHP
 files.

 -- Ondřej Surý <ondrej@debian.org>  Wed, 15 Aug 2012 10:31:31 +0200

Reply to:

References:
- Review of php5-cgi NEWS file
  - From: Ondřej Surý <ondrej@sury.org>

Prev by Date: Review of php5-cgi NEWS file
Next by Date: DPN 21/2012 frozen. Please review and translate.
Previous by thread: Review of php5-cgi NEWS file
Next by thread: DPN 21/2012 frozen. Please review and translate.
Index(es):
- Date
- Thread