On Fri, 2012-10-26 at 13:18 +0200, Ondřej Surý wrote:
> + It is also advised that
> + you check your custom configuration whether it's not vulnerable to
> + foo.php.jpeg attacks. The php5_cgi configuration snippet can be used
> + as base - it's important to use FilesMatch or Files directive to
> +
On Sat, Oct 6, 2012 at 9:51 PM, Stefan Fritsch wrote:
> Hi Ondřej,
>
> I also cannot think of any configuration that would make everyone happy. At
> the moment, I fear this can only be solved by more documentation.
>
> Maybe one could add such a paragraph to the NEWS entry of php5-cgi 5.4.4-5,
> e
Hey folks.
On Tue, 2012-10-16 at 00:16 +0200, Stefan Fritsch wrote:
> And remove the php-cgi.conf completely, right? So this would introduce
> a different fix for the multi-views problem. Are you sure that there
> is no other problem that we would re-introduce? Maybe it's worth a
> try.
> The
On Thursday 11 October 2012, Charles Plessy wrote:
> Le Mon, Oct 08, 2012 at 03:38:10PM +0200, Ondřej Surý a écrit :
> > Just one last question which came to my mind. Would this all be
> > fixed if we added non-magic type to mime-support (e.g.
> > http://bugs.debian.org/670945) and reverting the ch
Oh and one more thing (even though this is PHP unrelated):
Maybe I misunderstand something but it seems both:
libapache2-mod-fcgid, which uses:
AddHandlerfcgid-script .fcgi
FcgidConnectTimeout 20
and
libapache2-mod-fastcgi, which uses:
AddHandler fastcgi-script .fcgi
#FastCgiWrapp
Hi Charles.
On Thu, 2012-10-11 at 09:06 +0900, Charles Plessy wrote:
> Do you think that there is a way to fix #589384 (the *.php.foo problem)
> without removing the application/x-httpd-* media types ?
I would say no, well at least not if we also want to use these media
types later on in Apache t
> On Sat, Oct 6, 2012 at 9:51 PM, Stefan Fritsch wrote:
> >
> > This sucks. In hindsight, maybe the mime.types change should have been
> > deferred until we ugrade to apache 2.4 and people have to adjust their
> > configs anyway. But I think it's too late now to go back. And leaving the
> > *.php.
On Mon, 2012-10-08 at 22:42 +0200, Ondřej Surý wrote:
> Basically it would bring the old behaviour back while not mangling
> with custom Set/AddHandler directives in the apache. Remember the
> php5_cgi.{load,conf} hack was introduced after decision to fix this
> only in Apache - which in turn cause
On Mon, Oct 8, 2012 at 9:51 PM, Christoph Anton Mitterer
wrote:
> On Mon, 2012-10-08 at 15:38 +0200, Ondřej Surý wrote:
>> Just one last question which came to my mind. Would this all be fixed
>> if we added non-magic type to mime-support (e.g.
>> http://bugs.debian.org/670945) and reverting the c
On Mon, 2012-10-08 at 15:38 +0200, Ondřej Surý wrote:
> Just one last question which came to my mind. Would this all be fixed
> if we added non-magic type to mime-support (e.g.
> http://bugs.debian.org/670945) and reverting the changes done in the
> php5-cgi package?
I'm a bit unsure how/why that w
Hi,
Ondřej Surý:
> Just one last question which came to my mind. Would this all be fixed
> if we added non-magic type to mime-support (e.g.
> http://bugs.debian.org/670945) and reverting the changes done in the
> php5-cgi package?
>
IMHO that would be a good idea. (Subject to testing …)
--
-- Ma
Stephan,
thanks for the input.
Just one last question which came to my mind. Would this all be fixed
if we added non-magic type to mime-support (e.g.
http://bugs.debian.org/670945) and reverting the changes done in the
php5-cgi package?
That I think would justify change in the mime-support packa
Hi Ondřej,
I also cannot think of any configuration that would make everyone happy.
At the moment, I fear this can only be solved by more documentation.
Maybe one could add such a paragraph to the NEWS entry of php5-cgi
5.4.4-5, e.g. before "The standard configuration now also..." :
WARNI
13 matches
Mail list logo