Package: phpmyadmin Version: 4:3.4.11.1-2 Severity: important Tags: patch Dear Maintainer,
when upgrading from oldstable (squeeze) to stable (wheezy), running both suphp (for user-hosted applications) and mod_php (for debian packaged web applications like phpmyadmin et.al. in /usr/share/) on Apache 2.2.x, phpmyadmin will break, probably due to configuration changes in libapache2-mod-suphp and libapache2-mod-php5. The problem persists in phpmyadmin-4:4.0.10-1, AFAIS. As phpmyadmin breaks when upgrading in this configuration, I consider this bug IMPORTANT; please feel free to downgrade it if you don't follow my reasoning. It may be that suphp is at fault; see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727785> for another possible fix. Please re-assign the bug accordingly if applicable. Problem/Symptoms: ----------------- Apache will send the phpmyadmin source to the browser instead of parsing the scripts. Prolem Description: ------------------- When using suphp together with mod_php, suphp is disabled for debian packaged applications in /etc/apache2/mods-available/suphp.conf: | # By default, disable suPHP for debian packaged web applications as files | # are owned by root and cannot be executed by suPHP because of min_uid. | <Directory /usr/share> | suPHP_Engine off | </Directory> So phpmyadmin will happily run under mod_php in squeeze. This dosn't work any longer in Wheezy. AFAIS this is due to changes in handling of PHP files, namely by suphp. Debian Squeeze: + /etc/apache2/mods-available/suphp.conf | <IfModule mod_suphp.c> | AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml | suPHP_AddHandler application/x-httpd-suphp | [...] | </IfModule> + /etc/apache2/mods-available/php5.conf | <IfModule mod_php5.c> | <FilesMatch "\.ph(p3?|tml)$"> | SetHandler application/x-httpd-php | </FilesMatch> | [...] | </IfModule> Debian Wheezy: + /etc/apache2/mods-available/suphp.conf | <IfModule mod_suphp.c> | <FilesMatch "\.ph(p3?|tml)$"> | SetHandler application/x-httpd-suphp | </FilesMatch> | suPHP_AddHandler application/x-httpd-suphp | [...] | </IfModule> + /etc/apache2/mods-available/php5.conf | <FilesMatch ".+\.ph(p[345]?|t|tml)$"> | SetHandler application/x-httpd-php | </FilesMatch> | [...] As /etc/apache2/mods-available/suphp.conf is parsed after /etc/apache2/mods-available/php5.conf, the "SetHandler application/x-httpd-suphp" directive will replace "SetHandler application/x-httpd-php", and as suphp is disabled for all files in /usr/share by "suPHP_Engine off", PHP scripts in /usr/share/phpmyadmin won't be parsed any more. Changing the suphp.conf back to its Squeeze version will fix that problem, but may not be prudent, as I remember a lenghty discussion concerning the correct handling of MIME types. Suggested fix: -------------- Add the mod_php configuration snippet from /etc/apache2/mods- available/php5.conf to /etc/phpmyadmin/apache.conf as follows: | # phpMyAdmin default Apache configuration | | Alias /phpmyadmin /usr/share/phpmyadmin | | <Directory /usr/share/phpmyadmin> | Options FollowSymLinks | DirectoryIndex index.php | SSLRequireSSL | | <IfModule mod_php5.c> | AddType application/x-httpd-php .php |+ <FilesMatch ".+\.ph(p[345]?|t|tml)$"> |+ SetHandler application/x-httpd-php |+ </FilesMatch> | | php_flag magic_quotes_gpc Off | php_flag track_vars On | php_flag register_globals Off | php_admin_flag allow_url_fopen Off | php_value include_path . | php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp | php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/ | </IfModule> | | </Directory> | [...] Patch - against 4:4.0.10-1 - attached. See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727785> for another possible fix. Regards, -thh -- System Information: Debian Release: 7.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages phpmyadmin depends on: ii dbconfig-common 1.8.47+nmu1 ii debconf [debconf-2.0] 1.5.49 ii libapache2-mod-php5 5.4.4-14+deb7u7 ii perl 5.14.2-21+deb7u1 ii php5-cgi 5.4.4-14+deb7u7 ii php5-mcrypt 5.4.4-14+deb7u7 ii php5-mysql 5.4.4-14+deb7u7 ii ttf-dejavu-core 2.33-3 ii ucf 3.0025+nmu3 Versions of packages phpmyadmin recommends: ii apache2 2.2.22-13 ii apache2-mpm-prefork [httpd] 2.2.22-13 ii mysql-client 5.5.33+dfsg-0+wheezy1 ii mysql-client-5.5 [mysql-client] 5.5.33+dfsg-0+wheezy1 ii php5-gd 5.4.4-14+deb7u7 Versions of packages phpmyadmin suggests: ii epiphany-browser [www-browser] 3.4.2-2.1 ii iceweasel [www-browser] 17.0.10esr-1~deb7u1 ii lynx-cur [www-browser] 2.8.8dev.12-2 ii mysql-server 5.5.33+dfsg-0+wheezy1 -- Configuration Files: /etc/phpmyadmin/apache.conf changed [not included] -- debconf information: phpmyadmin/remove-error: abort phpmyadmin/setup-username: admin phpmyadmin/db/app-user: phpmyadmin phpmyadmin/install-error: abort * phpmyadmin/reconfigure-webserver: apache2 phpmyadmin/remote/host: * phpmyadmin/dbconfig-install: true phpmyadmin/remote/port: * phpmyadmin/dbconfig-upgrade: true phpmyadmin/mysql/admin-user: root phpmyadmin/internal/reconfiguring: false phpmyadmin/missing-db-package-error: abort phpmyadmin/remote/newhost: phpmyadmin/upgrade-error: abort phpmyadmin/dbconfig-reinstall: false phpmyadmin/db/dbname: phpmyadmin phpmyadmin/database-type: mysql phpmyadmin/internal/skip-preseed: false phpmyadmin/upgrade-backup: true phpmyadmin/dbconfig-remove: phpmyadmin/passwords-do-not-match: phpmyadmin/mysql/method: unix socket phpmyadmin/purge: false
--- apache.conf 2013-07-28 10:55:17.000000000 +0200 +++ apache.conf.new 2014-01-06 12:23:14.009209585 +0100 @@ -8,6 +8,9 @@ <IfModule mod_php5.c> AddType application/x-httpd-php .php + <FilesMatch ".+\.ph(p[345]?|t|tml)$"> + SetHandler application/x-httpd-php + </FilesMatch> php_flag magic_quotes_gpc Off php_flag track_vars On