Bug#589384: marked as done (libapache2-mod-php5: Even with new SetHandler config, php is still activated because of mime type)

[Debian Bug Tracking System]

Your message dated Sun, 12 Feb 2012 21:09:07 +0000
with message-id <e1rwgft-0002cg...@franck.debian.org>
and subject line Bug#589384: fixed in mime-support 3.52-1
has caused the Debian Bug report #589384,
regarding libapache2-mod-php5: Even with new SetHandler config, php is still 
activated because of mime type
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
589384: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=589384
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libapache2-mod-php5
Version: 5.2.11.dfsg.1-2
Severity: normal


Even with the new

    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler application/x-httpd-php
    </FilesMatch>

config, Files named blah.php.blubb are still executed as php scripts because
they are assigned the type application/x-httpd-php in /etc/mime.types and
mod_php will execute all files of this type. This can of course be a security
problem for sites that accept uploaded files.

There are two possible remedies:
- Remove all relevant types from /etc/mime.types
- Add
            RemoveType php phtml pht phps php3 php3p php4 php5
   to php5.conf


I am slightly in favor of the RemoveType solution (together with a comment
explaining the why). Changes to /etc/mime.types may easily be refused
on upgrade by the user (I expect the diff to be rather large).

If you think the correct fix would be to change /etc/mime.types, feel free
to reassign the bug.


NB: RemoveType works for types loaded from mime.types only since apache2
2.2.14-2 (or upstream version 2.2.15).

--- End Message ---

--- Begin Message ---

Source: mime-support
Source-Version: 3.52-1

We believe that the bug you reported is fixed in the latest version of
mime-support, which is due to be installed in the Debian FTP archive:

mime-support_3.52-1.dsc
  to main/m/mime-support/mime-support_3.52-1.dsc
mime-support_3.52-1.tar.gz
  to main/m/mime-support/mime-support_3.52-1.tar.gz
mime-support_3.52-1_all.deb
  to main/m/mime-support/mime-support_3.52-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 589...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian White <bcwh...@pobox.com> (supplier of updated mime-support package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Feb 2012 21:06:40 +0100
Source: mime-support
Binary: mime-support
Architecture: source all
Version: 3.52-1
Distribution: unstable
Urgency: low
Maintainer: Brian White <bcwh...@pobox.com>
Changed-By: Brian White <bcwh...@pobox.com>
Description: 
 mime-support - MIME files 'mime.types' & 'mailcap', and support programs
Closes: 560118 589384 594915 605250 605254 613810 619475 620372 624697 627997 
639580 639822 646462 652560 658073
Changes: 
 mime-support (3.52-1) unstable; urgency=low
 .
   * removed application/x-httpd-* types (closes: 589384)
   * added numerous new mime.types (closes: 652560, 624697, 627997, 619475, 
639822)
   * fixed some bad mime.types (closes: 605250, 620372, 613810)
   * added dpkg trigger support (closes: 594915)
   * obsolete bugs (closes: 560118, 605254, 639580, 646462, 658073)
Checksums-Sha1: 
 7d906ce3efb5bf90515816c387c299b25f5f0639 1344 mime-support_3.52-1.dsc
 0422a89e602f2b50d8085b771be3a1fde13ae060 31107 mime-support_3.52-1.tar.gz
 52acfca0d83d2cc241ce80f9368a5347b969e7e8 35490 mime-support_3.52-1_all.deb
Checksums-Sha256: 
 0bf2ca80a39fb3d59ec088f5868f2c0d72b6c9a9b1ab52476768755ab9d0199a 1344 
mime-support_3.52-1.dsc
 78ebee71b8de0fbf606f58255b43bfda1dbc94d0e8c416e8b7f233548cf47ea4 31107 
mime-support_3.52-1.tar.gz
 442b98b5b11113a9f69d8bfd99b0ef09458d4bb253aaea0781724e66e248135f 35490 
mime-support_3.52-1_all.deb
Files: 
 a1495122c943daaa1282aa7cc334ba55 1344 net standard mime-support_3.52-1.dsc
 17c162f96efff3574b2ba3346484fa92 31107 net standard mime-support_3.52-1.tar.gz
 04f833f65b2f12dd4c73668877ce78aa 35490 net standard mime-support_3.52-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIVAwUBTzgb72dwixThwUKxAQIugg/+Ou/nedrLN7qxYkJQWXV8HoGnJ94Aki5A
VMI8G9oyGcqeZRWf3t6Hf+vQQEm7JMG2/WF0jy2ikivxdqUrnSDmjvzs0ONSjP9V
6kluSqYUcxW6nwHhNjFKhwCEBSAZgnDd8siyRERYg8VdPf86JDSmeN9FwXWPxXXC
hdMWbKsP+IUoTZJCrkdXmIAGBjVdyrP4Lnx56WSguBD7NY242ETocSBhbe79L5B5
yn6WVlPXsKrGTjWlk9LGHXEnf1E47sc+IyYZRjj+4X2SHStCq/MxPcoTaGw5BQvf
VfsHc5anPZ4sjEY2PF7rDJaGmj4iVM2RywpX9Qsz0hZY2wN7NZpubhMobId9KrtJ
YJcDZYZsAfPJHOnz1U4p4upss5NI7Q+LHyny/hWNvDQRdYY+U5h8K0fby9NTCUOm
OUVri3hAARP9liXmsyZeyKSkgONyy3/mzZcAAemo8oQoz+0zRf+PxCV2gN0juJwY
a7Zo9rCt3dYaJbm34JUU1pkVLJM3LGega28q1cSyu9fxu5d4n6ei6wjK8o4K9n6b
g6NNMlzLlpTKg97KoUdj6vn6qyWS5GukDN0u1iOD9uhlaMdVktOhv8p4yIezMYDj
SsT35tTQeCJy87dcLbmbsK5KMQeh8c4XorpnQnGe94iqnuOfKRfkt1LvdzQXCoKo
QbdpqX0Is3I=
=FQCB
-----END PGP SIGNATURE-----

--- End Message ---