Debian Webapps and PHP Policy Update
Moin,
below please find updates for the PHP Policy Draft and for the Webapps
Policy Manual Draft. I'd be glad if you could commit both. Feel free
to add my name to the authors listing.
The changes in particular are:
PHP Policy Draft
. Adjusted the URL to the Webapps Policy Draft
. Filled the section about PHP applications by deferring to the
Webapps Policy Draft
Webapps Policy Manual Draft
. Emphasise on the need to split files in an application in order to
be able to provide a web-accessible directory and one which is not
accessible to the web-user.
. Adjusted the logic, i.e. adding a 'not' when talking about content
that shouldn't be executed and hence not placed in a
web-accessible directory.
. Capitalise Apache (since PHP and Perl are used in their respective
spelling as well)
. Capitalise PHP once (must've been forgotton before)
. Added a link to the debian policy for documentation
. Added some notes about most common PHP application insecurities
I've also taken the liberty to add both drafts and the db application
draft to the list of policy manuals to <http://www.debian.org/devel/>
since developers are searching for these documents and willing to use
them already. Their content should be sufficiently stabilised as
well. In case you don't like this, please let me know and I'll revert
this.
The PHP Policy Draft has quite a lot XXX in it and hasn't been update
for quite a while. Is there no consens on the open issues?
Regards,
Joey
--
There are lies, statistics and benchmarks.
Please always Cc to me when replying to me on the lists.
Index: PHP-Policy-Manual-DRAFT.sgml
===================================================================
--- PHP-Policy-Manual-DRAFT.sgml (revision 108)
+++ PHP-Policy-Manual-DRAFT.sgml (working copy)
@@ -12,7 +12,7 @@
Debian GNU/Linux distribution, and the policy requirements
for packaged PHP applications, libraries, and add-on extensions.
<copyright>
- Copyright © 2005 The Debian Webapps Team
+ Copyright © 2005,6 The Debian Webapps Team
<email>debian-webapps@lists.debian.org</email>.
<p>
This manual is free software; you may redistribute
@@ -80,9 +80,9 @@
provide requirements and/or best practices
for such situations:
<list>
- <item><url id="http://webapps-common.alioth.debian.org/doc/" name="Web Application Policy"> for covering issues specific to applications which
+ <item><url id="http://webapps-common.alioth.debian.org/draft/html/" name="Web Application Policy"> for covering issues specific to applications which
take part in a web-based interface.
- <item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="Database Application Policy"> for covering issues relating to interaction with database servers and management of application databases.
+ <item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="Database Application Policy"> for covering issues relating to interaction with database servers and management of application databases.
</list>
<sect id="terms">Terms and Conventions
<p>
@@ -205,9 +205,13 @@
<chapt id="php-apps">PHP applications
<p>
- XXX do we actually need anything here? maybe talking about proper dependencies?
- <sect id="php-apps-naming">Packages and naming scheme
- <sect id="php-apps-fs">File and directory layout
+ Whenever possible you should name the application the
+ same as the upstream developers.
+ <p>
+ The specific to the packaging of PHP applications are
+ covered in the <url
+ id="http://webapps-common.alioth.debian.org/draft/html/ch-issues.html"
+ name="Webapps Policy Manual">.
<chapt id="php-libs">PHP libraries
<p>
Index: Webapps-Policy-Manual-DRAFT.sgml
===================================================================
--- Webapps-Policy-Manual-DRAFT.sgml (revision 108)
+++ Webapps-Policy-Manual-DRAFT.sgml (working copy)
@@ -89,8 +89,8 @@
Where possible, this document will defer
to these other policies:
<list>
- <item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="Database Application Policy">
- <item><url id="http://webapps-common.alioth.debian.org/draft-php/html" name="Debian PHP Policy">
+ <item><url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="Database Application Policy">
+ <item><url id="http://webapps-common.alioth.debian.org/draft-php/html/" name="Debian PHP Policy">
<item><url id="http://www.debian.org/doc/packaging-manuals/perl-policy/" name="Debian Perl Policy">
</list>
<chapt id="terms">Terms and Conventions
@@ -193,7 +193,7 @@
<tag>Other static data, and helper scripts that don't belong in users' paths
<item>A unique subdirectory of <file>/usr/share/<var>PACKAGE</var></file>
<tag>Persistent application data, Cached/regenerated application data, rrd, mrtg and other database files
- <item>See <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="database application policy">.
+ <item>See <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="database application policy">.
<tag>Site configuration (settings/passwords)
<item><file>/etc/<var>PACKAGE</var></file>
<tag>Modifiable and overridable content
@@ -301,13 +301,46 @@
<p>
If the web application needs a database
to run properly, it must abide by the
- <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html" name="database application policy">.
+ <url id="http://people.debian.org/~seanius/policy/dbapp-policy.html/" name="database application policy">.
The maintainer is highly encouraged to use
a common tool such as dbconfig-common to
perform the database configuration. Please
- see the <url id="http://people.debian.org/~seanius/policy/dbconfig-common-using.html" name="dbconfig-common manual"> for
+ see the <url id="http://people.debian.org/~seanius/policy/dbconfig-common-using.html/" name="dbconfig-common manual"> for
more information.
+ <sect id="security-php">Security measurements
+ <p>
+ PHP applications must not depend on
+ the "register_global" setting turned
+ on in Apache or other httpds.
+ <p>
+ PHP applications should take extra
+ care not to use internal variables
+ before their initialisation, in case
+ "register_global" is turned on by the
+ administrator.
+ <p>
+ Include files should not emit any
+ output, not even error messages, in
+ case they are executed directly or
+ exposed in a web-accessible directory.
+ <p>
+
+ Web-based applications should not
+ blindly trust any user-provided data.
+ Before emitting them, the data need to
+ be checked for cross-site scripting
+ attempts, i.e. HTML code needs to be
+ escaped. Input for databases need to
+ be checked against SQL-injection
+ attempts, i.e. quotes need to be
+ escaped. User-driven arguments to any
+ file or permission related functions
+ need to be checked against information
+ disclosure, i.e. input need to be
+ checked for ways to escape the
+ intended path on the filesystem.
+
<sect id="issues-archindep">Architecture independent scripts (Perl, PHP and others)
<p>Scripts that shouldn't normally need
to exist in the standard system path should
@@ -322,6 +355,9 @@
interpretation via the web must exist in
locations where their underlying source code
can be directly retrieved.
+ <p>This may require to split upstream source
+ into two directories and adjusting the
+ include path or statements.
<sect id="issues-archdep">Architecture dependant binaries
<p>The policy for Architecture dependant binaries
@@ -334,7 +370,7 @@
though this may
become deprecated in the future.
<p>Similar to Architecture-independent files,
- if such files are intended to be executed via
+ if such files are not intended to be executed via
the web, they must not exist in a location
where they can be directly retrieved.
@@ -362,7 +398,7 @@
<p>
Issues specific to the PHP programming language
are covered in the
- <url id="http://webapps-common.alioth.debian.org/draft-php/html" name="PHP Policy"> Document
+ <url id="http://webapps-common.alioth.debian.org/draft-php/html/" name="PHP Policy"> Document
<sect id="perl">Perl
<p>
@@ -393,13 +429,13 @@
should use the web server's
implementation of an "alias"
directive. For example,
- in apache directive is named
+ in Apache the directive is named
"Alias". For web servers that do
not provide such a directive, the
local administrator is responsible
for placing symbolic links in
the document root to make an
- application web-accessible.
+ application accessible to web-users.
<sect1 id="httpd-register-httpd">Registering and unregistering an application with web servers
<p>
@@ -411,7 +447,7 @@
the target web server supports
drop-in configuration via a
configuration file directory (such
- as the apache family of httpds'
+ as the Apache family of httpds'
<file>conf.d</file> directories) or
"include" configuration. In the
case of the latter, standard Debian
@@ -427,7 +463,8 @@
the package in question should
instead provide the configuration
as an example following standard
- Debian documentation policy.
+ Debian <url id="http://www.debian.org/doc/debian-policy/ch-docs"
+ name="documentation policy">.
<p>
Such configuration should only be
performed during installation. During
@@ -460,7 +497,7 @@
hosts:
<list>
<item>
- The apache module mod_env can be used
+ The Apache module mod_env can be used
to provide applications with information
on where to find config files
<item>
@@ -471,7 +508,7 @@
information to find what config
file/script it should use
<item>
- For php applications under apache, one
+ For PHP applications under Apache, one
can use "php_value auto_prepend_file"
to provide configuration scripts for
the application
Reply to: