On Tue, 2012-08-21 at 09:07 +0200, Ondřej Surý wrote:
> > Maybe add just a small paragraph that the configuration of the
> > extensions has changed and php users should read the NEWS file?
>
> That's probably sensible approach. I have quickly drafted short
> paragraph which can be used for releas
On Tue, 21 Aug 2012 09:48:37 +0200
Ondřej Surý wrote:
[...]
> >> The mime-types package has dropped non-standard definitions of
> >> PHP MIME-Types as a security measure. Default PHP configuration
> >> for libapache2-mod-php5{filter} and php5-cgi now only serve files
> >> which have .php, .php[3
On Mon, Aug 20, 2012 at 06:40:54PM +0200, Marco d'Itri wrote:
> On Aug 20, Wouter Verhelst wrote:
>
> > > But some sites accept file uploads with arbitrary names, perhaps
> > > expected to be a JPEG image, but actually named bar.php.jpeg and
> > > containing malicious server-side PHP which they c
On Mon, Aug 20, 2012 at 03:12:14PM +0100, Steven Chamberlain wrote:
> On 20/08/12 14:35, Wouter Verhelst wrote:
> > On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
> >> Yes it's possible some people rely on that behaviour, e.g. serving JPEG
> >> data from PHP scripts named like
On Tue, Aug 21, 2012 at 09:07:59AM +0200, Ondřej Surý wrote:
[...]
>> Maybe add just a small paragraph that the configuration of the
>> extensions has changed and php users should read the NEWS file?
>
> That's probably sensible approach. I have quickly drafted short
> paragraph which can be use
On Tue, Aug 21, 2012 at 9:38 AM, Konstantin Khomoutov
wrote:
> On Tue, Aug 21, 2012 at 09:07:59AM +0200, Ondřej Surý wrote:
>
> [...]
>>> Maybe add just a small paragraph that the configuration of the
>>> extensions has changed and php users should read the NEWS file?
>>
>> That's probably sensibl
> Default PHP extension configuration
^^^
This needs Apache 2, e.g.
Default PHP extension configuration for Apache 2.
> ---
>
> The mime-types package has dropped non-standard definitions of
> PHP MIME-Types as a security measure. Default PHP configuration
> for
On Mon, Aug 20, 2012 at 8:12 PM, Stefan Fritsch wrote:
> On Monday 20 August 2012, Ondřej Surý wrote:
>> Ah, I see; it gets executed when there is no know handler or
>> mime-type for second extension.
>>
>> E.g. index.php.jpeg works as expected (e.g. returning PHP source
>> code), index.php.blubb
Hi Ondřej.
On Mon, 2012-08-20 at 14:57 +0200, Ondřej Surý wrote:
> http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a
- You mention in the README.Debian now, that no other webserver likely used
/etc/mime.types.
Wasn't there someone who meant li
On Mon, 2012-08-20 at 14:06 +0100, Jon Dowland wrote:
> On Mon, Aug 20, 2012 at 12:58:42AM +0200, Christoph Anton Mitterer wrote:
> > But if anyone would lobby that (release goal: default to CGI/FCGI),
> > they'd have definitely my support :)
> A bit late for wheezy, do you mean for +1?
Yeah,... of
On Mon, 2012-08-20 at 09:02 +0200, Wouter Verhelst wrote:
> Maybe that's because it's expected they would be PHP scripts emitting
> JPEG files, not plain JPEG files? This seems like a feature to me, not a
> bug. Why was support for that removed?
I think that's really wrong style then...
Content ge
On Monday 20 August 2012, Ondřej Surý wrote:
> Ah, I see; it gets executed when there is no know handler or
> mime-type for second extension.
>
> E.g. index.php.jpeg works as expected (e.g. returning PHP source
> code), index.php.blubb but gets executed. I don't think there's any
> harm in disabli
On Aug 20, Wouter Verhelst wrote:
> > But some sites accept file uploads with arbitrary names, perhaps
> > expected to be a JPEG image, but actually named bar.php.jpeg and
> > containing malicious server-side PHP which they could execute from the
> > browser.
> Don't Do That Then(TM).
I see that
On 20/08/12 14:35, Wouter Verhelst wrote:
> On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
>> Yes it's possible some people rely on that behaviour, e.g. serving JPEG
>> data from PHP scripts named like foo.php.jpeg.
Sorry, I was wrong. For extensions like .jpeg with a known M
On Mon, Aug 20, 2012 at 3:35 PM, Charles Plessy wrote:
>> Charles, did you test that or you base that claim on Christoph's
>> mails? I have just tested both php5-cgi in standard configuration as
>> recommended in README.Debian and this claim doesn't seem to be true:
>>
>> $ wget -q -O - http://lo
On Mon, Aug 20, 2012 at 01:10:57PM +0100, Steven Chamberlain wrote:
> On 20/08/12 08:02, Wouter Verhelst wrote:
> > On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
> >> - In Squeeze, using default configurations, files with ".php" in their
> >> name
> >>such as "foo.php.jpeg"
Le Mon, Aug 20, 2012 at 02:57:10PM +0200, Ondřej Surý a écrit :
>
> I have prepared new update for PHP based on comments from d-d. The
> commit is here:
>
> http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commit;h=72eef08994f65b227103509617652d7c0bf0587a
Hi Ondřej,
many thanks for this wo
On Mon, Aug 20, 2012 at 12:58:42AM +0200, Christoph Anton Mitterer wrote:
> But if anyone would lobby that (release goal: default to CGI/FCGI),
> they'd have definitely my support :)
A bit late for wheezy, do you mean for +1?
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
wit
Hi all,
[multiple messages from d-d and d-r merged together]
> I am also concerned that a *simple* solution to restore the old
> behaviour in a secure way is not provided: maybe php5-cgi should install
> a sensible default configuration in /etc/apache2/conf.d/ ?
I have prepared new update for PH
On 20/08/12 08:02, Wouter Verhelst wrote:
> On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
>> - In Squeeze, using default configurations, files with ".php" in their name
>>such as "foo.php.jpeg" are executed as PHP scripts by the Apache web
>> servers
>>runing PHP scripts
On Sun, Aug 19, 2012 at 11:17:26AM +0900, Charles Plessy wrote:
> - In Squeeze, using default configurations, files with ".php" in their name
>such as "foo.php.jpeg" are executed as PHP scripts by the Apache web
> servers
>runing PHP scripts through php5-cgi.
Maybe that's because it's ex
On Sun, 19 Aug 2012, Marco d'Itri wrote:
> On Aug 19, Charles Plessy wrote:
> > - PHP scripts can be executed by Apache httpd through libapache2-mod-php5
> > or
> >php5-cgi. Debian recommends libapache2-mod-php5, but there are still
> This is another issue which concerns me, since mod_php f
On Sun, 2012-08-19 at 22:32 +0200, Marco d'Itri wrote:
> I am also concerned that a *simple* solution to restore the old
> behaviour in a secure way is not provided: maybe php5-cgi should install
> a sensible default configuration in /etc/apache2/conf.d/ ?
Again, I don't think this saves us from
Hey Russ, Marco.
On Sun, 2012-08-19 at 22:32 +0200, Marco d'Itri wrote:
> >thousands of installations wich report the use of php5-cgi according to
> > the
> >Popularity Contest statistics.
> Yes, because sensible people who need PHP will try to use it as
> CGI/FastCGI (or FPM, finally i
On Sun, 2012-08-19 at 18:16 +0100, Roger Lynn wrote:
> How does this affect other web servers?
There was someone mentioning that lighthtttp may use /etc/mime.types,
too.
So yes, basically anything (though I guess security critical things
should only be found at webservers, as they typically serve i
On Sun, 2012-08-19 at 17:26 +0200, Jonas Smedegaard wrote:
> FWiW, out of the ~7'500 popcon hits of regular use of php5-cgi, ~900
> also regularly uses suphp, so might be unaffected by this issue.
"mights" are not something we should build our security upon.
And apart from that... I had a very sh
On Sun, 2012-08-19 at 12:43 +0200, Cyril Brulebois wrote:
> I guess we could consider that for a very specific, low-popcon package.
> But knowingly interrupting upgrades for a well-known problem, on a very
> high number of systems? I'm not sure that's appropriate. Quite the
> opposite, actually.
I
On Aug 19, Charles Plessy wrote:
> - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
>php5-cgi. Debian recommends libapache2-mod-php5, but there are still
This is another issue which concerns me, since mod_php forces the use of
preforking apache, which means that
On 19/08/12 03:20, Charles Plessy wrote:
> - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
>php5-cgi. Debian recommends libapache2-mod-php5, but there are still
>thousands of installations wich report the use of php5-cgi according to the
>Popularity Contes
Charles Plessy writes:
> In summary:
> - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
>php5-cgi. Debian recommends libapache2-mod-php5, but there are still
>thousands of installations wich report the use of php5-cgi according to the
>Popularity Contest
On 12-08-19 at 11:17am, Charles Plessy wrote:
> - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or
>php5-cgi. Debian recommends libapache2-mod-php5, but there are still
>thousands of installations wich report the use of php5-cgi according to the
>Popularity
Charles Plessy (19/08/2012):
> This will interrupt upgrade of servers using php5-cgi, but to avoid
> surprises, the rough consensus in #674089 is also to document the same
> information in the release notes.
I guess we could consider that for a very specific, low-popcon package.
But knowingly int
Dear release team and developer community,
due to changes in the mime-support package, upgrade of systems serving PHP
websites through CGI will not be automatic. There is
http://bugs.debian.org/674089 (critical) where the issue is discussed, and I
would like to reassign it to the release notes.
33 matches
Mail list logo
