ID: 14909 Updated by: imajes Reported By: [EMAIL PROTECTED] Status: Critical Old Bug Type: Documentation problem Bug Type: Apache related Operating System: Windows PHP Version: 4.1.1 Assigned To: imajes New Comment:
the documentation is fixed, i committed this morning/last night. there is however a bug in the way apache handles the binary -- or the way php acts when called as a binary (you can get premature end of script headers). What i would like to do is leave this open, and noticeable for some of the apache guys to take a look at and comment on it. The docs are fixed.... we just need to wait to see if this is a thing to hand off to apache. Previous Comments: ------------------------------------------------------------------------ [2002-01-08 07:16:40] [EMAIL PROTECTED] As said by others, this is NOT a bug, but a documentation problem. (btw: assigned to only needs your username) ------------------------------------------------------------------------ [2002-01-08 03:28:11] [EMAIL PROTECTED] Ok, I have checked in a newer, cleaner version of the relevant documentation. As far as the guidelines go, configuring php and apache like that is a massive security risk, (since we've been recommending all production level sites to create a script alias for /php/ and mapping that to their php directory), so I appeal to the apache people (Jimw, etc) to look into ways of fixing it so you don't have to use a scriptalias and action. (or use action with an absolute path). This is a pretty urgent problem, so i'm going to mark this bug as critical and move it to Apache Related. ------------------------------------------------------------------------ [2002-01-07 12:02:52] [EMAIL PROTECTED] Georg, our security section has a link to that CERT advisory for quite a long time now. I have added a warning and a link to the particular security page to that setup instruction page for Apache windows. Please give better instructions for CGI setups under windows if you can. A setup, where PHP sritps are portable, so no #!c:\php\php.exe type of method is doable... Maybe James can find another way. The Apache doc only documents the methods we have in the install and security chapters... --- Goba ------------------------------------------------------------------------ [2002-01-07 09:46:58] [EMAIL PROTECTED] Actually, our documentation tells win32 users to install that way. I'm investigating a better method right now, and will patch the documentation in a short while. I knew i forgot to do something after i updated my win32 last week! ------------------------------------------------------------------------ [2002-01-07 09:41:20] [EMAIL PROTECTED] Unbelievable, why do you set your cgi-binary in the document root tree!? See http://www.cert.org/advisories/CA-1996-11.html ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/?id=14909 Edit this bug report at http://bugs.php.net/?id=14909&edit=1 -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]