Re: Fixing stupid PHP application design flaws

To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: "Martin Schulze" <joey@infodrom.org>, "Debian Security" <debian-security@lists.debian.org>
Subject: Re: Fixing stupid PHP application design flaws
From: "Hans Spaans" <cj.spaans@nexit.nl>
Date: Fri, 29 Apr 2005 13:12:51 +0200 (CEST)
Message-id: <[🔎] 1973.132.229.57.222.1114773171.squirrel@nullrouted.xs4all.nl>
In-reply-to: <[🔎] 20050428234219.GA5963@dat.etsit.upm.es>
References: <[🔎] 20050428131508.GQ7744@finlandia.infodrom.north.de> <[🔎] 427141B0.6000405@nexit.nl> <[🔎] 20050428234219.GA5963@dat.etsit.upm.es>

On Fri, April 29, 2005 1:42, Javier Fernández-Sanguino Peña said:
> On Thu, Apr 28, 2005 at 10:04:00PM +0200, Hans Spaans wrote:
>> Is this going to solve the problems? Don't get me wrong, because I love
>> your goal but I don't believe that what you suggesting right now is
>> going to solve the problems with PHP at this moment. Maybe its an idea
>> to get in contact with Rasmus about securing PHP, because he's trying to
>> get a more secure and sane php4.ini in the upstream releases. Unluckily
> (...)
>
> Well, you've probably missed Bug #274374, which is a step in that
> direction. If anyone has comments or improvements on the php.ini-paranoid
> file provided in the php4 package please send them my way, I would love to
> see that improved.

Both paranoid and recommended seem to be fine. The only thing I'm
wondering, why leave short_open_tag on in both situations? And maybe an
extra example howto set php setting in apache for vhosts? If someone
wishes I could make one since I have enough examples running ;-)

>> Beside the fact that your plan has some issues with multiple
>> installations because some application require that for multiple vhosts.
>> It may be a better idea to start with PHP itself and ask during
>> installation of the users wants to install a secure or insecure version
>> of php4.ini. The same is done with setuid issues for example.
>
> Why not ask that to PHP maintainers? The file is already there, it's just
> a
> matter of having debconf ask this on the first install and replace the
> default file. If anyone would be to provide a patch implementing this I
> don't see why the Debian PHP maintainers would not add it in.

I know, but it has a big impact on debian. Also I got the impression from
Martin his first post, that he was trying to get an idea about impact,
reasons and ways to fix. But since the maintainers are already following
this thread it would be nice to hear there point of view on this situation
and also from Martin, because changes like these really gets other
packages in trouble.

Hans

Reply to:

References:
- Fixing stupid PHP application design flaws
  - From: Martin Schulze <joey@infodrom.org>
- Re: Fixing stupid PHP application design flaws
  - From: Hans Spaans <cj.spaans@nexit.nl>
- Re: Fixing stupid PHP application design flaws
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: how to display the SSHd fingerprint
Next by Date: Re: Fixing stupid PHP application design flaws
Previous by thread: Re: Fixing stupid PHP application design flaws
Next by thread: Re: Fixing stupid PHP application design flaws
Index(es):
- Date
- Thread