On Mon, Aug 20, 2012 at 8:12 PM, Stefan Fritsch s...@debian.org wrote:
On Monday 20 August 2012, Ondřej Surý wrote:
Ah, I see; it gets executed when there is no know handler or
mime-type for second extension.
E.g. index.php.jpeg works as expected (e.g. returning PHP source
code),
Default PHP extension configuration
^^^
This needs Apache 2, e.g.
Default PHP extension configuration for Apache 2.
---
The mime-types package has dropped non-standard definitions of
PHP MIME-Types as a security measure. Default PHP configuration
for
On Tue, Aug 21, 2012 at 9:38 AM, Konstantin Khomoutov
flatw...@users.sourceforge.net wrote:
On Tue, Aug 21, 2012 at 09:07:59AM +0200, Ondřej Surý wrote:
[...]
Maybe add just a small paragraph that the configuration of the
extensions has changed and php users should read the NEWS file?
On Tue, Aug 21, 2012 at 09:07:59AM +0200, Ondřej Surý wrote:
[...]
Maybe add just a small paragraph that the configuration of the
extensions has changed and php users should read the NEWS file?
That's probably sensible approach. I have quickly drafted short
paragraph which can be used for
On Mon, Aug 20, 2012 at 03:12:14PM +0100, Steven Chamberlain wrote:
On 20/08/12 14:35, Wouter Verhelst wrote:
On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
Yes it's possible some people rely on that behaviour, e.g. serving JPEG
data from PHP scripts named like
On Mon, Aug 20, 2012 at 06:40:54PM +0200, Marco d'Itri wrote:
On Aug 20, Wouter Verhelst w...@uter.be wrote:
But some sites accept file uploads with arbitrary names, perhaps
expected to be a JPEG image, but actually named bar.php.jpeg and
containing malicious server-side PHP which they
On Tue, 21 Aug 2012 09:48:37 +0200
Ondřej Surý ond...@debian.org wrote:
[...]
The mime-types package has dropped non-standard definitions of
PHP MIME-Types as a security measure. Default PHP configuration
for libapache2-mod-php5{filter} and php5-cgi now only serve files
which have .php,
On Tue, 2012-08-21 at 09:07 +0200, Ondřej Surý wrote:
Maybe add just a small paragraph that the configuration of the
extensions has changed and php users should read the NEWS file?
That's probably sensible approach. I have quickly drafted short
paragraph which can be used for release
On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
- In Squeeze, using default configurations, files with .php in their name
such as foo.php.jpeg are executed as PHP scripts by the Apache web
servers
runing PHP scripts through php5-cgi.
Maybe that's because it's expected
On 20/08/12 08:02, Wouter Verhelst wrote:
On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
- In Squeeze, using default configurations, files with .php in their name
such as foo.php.jpeg are executed as PHP scripts by the Apache web
servers
runing PHP scripts through
Hi all,
[multiple messages from d-d and d-r merged together]
I am also concerned that a *simple* solution to restore the old
behaviour in a secure way is not provided: maybe php5-cgi should install
a sensible default configuration in /etc/apache2/conf.d/ ?
I have prepared new update for PHP
On Mon, Aug 20, 2012 at 12:58:42AM +0200, Christoph Anton Mitterer wrote:
But if anyone would lobby that (release goal: default to CGI/FCGI),
they'd have definitely my support :)
A bit late for wheezy, do you mean for +1?
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with
Le Mon, Aug 20, 2012 at 02:57:10PM +0200, Ondřej Surý a écrit :
I have prepared new update for PHP based on comments from d-d. The
commit is here:
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a
Hi Ondřej,
many thanks for this work.
On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
On 20/08/12 08:02, Wouter Verhelst wrote:
On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
- In Squeeze, using default configurations, files with .php in their
name
such as foo.php.jpeg are executed as
On Mon, Aug 20, 2012 at 3:35 PM, Charles Plessy ple...@debian.org wrote:
Charles, did you test that or you base that claim on Christoph's
mails? I have just tested both php5-cgi in standard configuration as
recommended in README.Debian and this claim doesn't seem to be true:
$ wget -q -O -
On 20/08/12 14:35, Wouter Verhelst wrote:
On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
Yes it's possible some people rely on that behaviour, e.g. serving JPEG
data from PHP scripts named like foo.php.jpeg.
Sorry, I was wrong. For extensions like .jpeg with a known MIME
On Aug 20, Wouter Verhelst w...@uter.be wrote:
But some sites accept file uploads with arbitrary names, perhaps
expected to be a JPEG image, but actually named bar.php.jpeg and
containing malicious server-side PHP which they could execute from the
browser.
Don't Do That Then(TM).
I see
On Monday 20 August 2012, Ondřej Surý wrote:
Ah, I see; it gets executed when there is no know handler or
mime-type for second extension.
E.g. index.php.jpeg works as expected (e.g. returning PHP source
code), index.php.blubb but gets executed. I don't think there's any
harm in disabling
On Mon, 2012-08-20 at 09:02 +0200, Wouter Verhelst wrote:
Maybe that's because it's expected they would be PHP scripts emitting
JPEG files, not plain JPEG files? This seems like a feature to me, not a
bug. Why was support for that removed?
I think that's really wrong style then...
Content
On Mon, 2012-08-20 at 14:06 +0100, Jon Dowland wrote:
On Mon, Aug 20, 2012 at 12:58:42AM +0200, Christoph Anton Mitterer wrote:
But if anyone would lobby that (release goal: default to CGI/FCGI),
they'd have definitely my support :)
A bit late for wheezy, do you mean for +1?
Yeah,... of
Hi Ondřej.
On Mon, 2012-08-20 at 14:57 +0200, Ondřej Surý wrote:
http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a
- You mention in the README.Debian now, that no other webserver likely used
/etc/mime.types.
Wasn't there someone who meant
Charles Plessy ple...@debian.org (19/08/2012):
This will interrupt upgrade of servers using php5-cgi, but to avoid
surprises, the rough consensus in #674089 is also to document the same
information in the release notes.
I guess we could consider that for a very specific, low-popcon package.
On 12-08-19 at 11:17am, Charles Plessy wrote:
- PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
php5-cgi. Debian recommends libapache2-mod-php5, but there are still
thousands of installations wich report the use of php5-cgi according to the
Popularity
Charles Plessy ple...@debian.org writes:
In summary:
- PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
php5-cgi. Debian recommends libapache2-mod-php5, but there are still
thousands of installations wich report the use of php5-cgi according to the
On 19/08/12 03:20, Charles Plessy wrote:
- PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
php5-cgi. Debian recommends libapache2-mod-php5, but there are still
thousands of installations wich report the use of php5-cgi according to the
Popularity Contest
On Aug 19, Charles Plessy ple...@debian.org wrote:
- PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
php5-cgi. Debian recommends libapache2-mod-php5, but there are still
This is another issue which concerns me, since mod_php forces the use of
preforking apache,
On Sun, 2012-08-19 at 12:43 +0200, Cyril Brulebois wrote:
I guess we could consider that for a very specific, low-popcon package.
But knowingly interrupting upgrades for a well-known problem, on a very
high number of systems? I'm not sure that's appropriate. Quite the
opposite, actually.
I
On Sun, 2012-08-19 at 17:26 +0200, Jonas Smedegaard wrote:
FWiW, out of the ~7'500 popcon hits of regular use of php5-cgi, ~900
also regularly uses suphp, so might be unaffected by this issue.
mights are not something we should build our security upon.
And apart from that... I had a very short
On Sun, 2012-08-19 at 18:16 +0100, Roger Lynn wrote:
How does this affect other web servers?
There was someone mentioning that lighthtttp may use /etc/mime.types,
too.
So yes, basically anything (though I guess security critical things
should only be found at webservers, as they typically serve
Hey Russ, Marco.
On Sun, 2012-08-19 at 22:32 +0200, Marco d'Itri wrote:
thousands of installations wich report the use of php5-cgi according to
the
Popularity Contest statistics.
Yes, because sensible people who need PHP will try to use it as
CGI/FastCGI (or FPM, finally in
On Sun, 2012-08-19 at 22:32 +0200, Marco d'Itri wrote:
I am also concerned that a *simple* solution to restore the old
behaviour in a secure way is not provided: maybe php5-cgi should install
a sensible default configuration in /etc/apache2/conf.d/ ?
Again, I don't think this saves us from
On Sun, 19 Aug 2012, Marco d'Itri wrote:
On Aug 19, Charles Plessy ple...@debian.org wrote:
- PHP scripts can be executed by Apache httpd through libapache2-mod-php5
or
php5-cgi. Debian recommends libapache2-mod-php5, but there are still
This is another issue which concerns me, since
Dear release team and developer community,
due to changes in the mime-support package, upgrade of systems serving PHP
websites through CGI will not be automatic. There is
http://bugs.debian.org/674089 (critical) where the issue is discussed, and I
would like to reassign it to the release notes.
33 matches
Mail list logo
