Bug#747463: [Pkg-mediawiki-devel] Bug#747463: index.php is not executable, breaking CGI
On Thu, 8 May 2014, Joe Rayhawk wrote: CGI-based execution of mediawiki is made possible with chmod a+x /usr/share/mediawiki/index.php. It would be nice if this were made default so our mediawiki installations wouldn't break with every upgrade. No: ① the file has no shebang ② http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ I have no trust in the PHP people to keep CGI secure. Will close this as WONTFIX unless upstream says they intend to allow running MediaWiki as CGI. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#747463: [Pkg-mediawiki-devel] Bug#747463: index.php is not executable, breaking CGI
On Fri, May 09, 2014 at 09:34:47AM +0200, Thorsten Glaser wrote: On Thu, 8 May 2014, Joe Rayhawk wrote: CGI-based execution of mediawiki is made possible with chmod a+x /usr/share/mediawiki/index.php. It would be nice if this were made default so our mediawiki installations wouldn't break with every upgrade. No: ① the file has no shebang That's what binfmt-misc exists for. ② http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ I have no trust in the PHP people to keep CGI secure. I have no trust in PHP period, that's why I run it under a separate privilege level, which is why I need an external execution interface, which is why I am filing this bug. php5-cgi is a thing that is packaged for a reason; is there an actual downside to giving this executable code an execution bit? signature.asc Description: Digital signature
Bug#747463: [Pkg-mediawiki-devel] Bug#747463: index.php is not executable, breaking CGI
On Fri, 9 May 2014, Joe Rayhawk wrote: ① the file has no shebang That's what binfmt-misc exists for. Not for Debian packages themselves, no. You can run that locally, and use dpkg-statoverride to keep the executable bit. This is actually one of the things lintian checks for: that only files with a shebang (upstream-provided, normally) are executable. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#747463: index.php is not executable, breaking CGI
Package: mediawiki Version: 1:1.19.15+dfsg-0+deb7u1 CGI-based execution of mediawiki is made possible with chmod a+x /usr/share/mediawiki/index.php. It would be nice if this were made default so our mediawiki installations wouldn't break with every upgrade. signature.asc Description: Digital signature