Debian Bug report logs -
#319398
php4.conf: use Files directive to deny unintentional filenames
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Adam Conrad <adconrad@0c3.net>:
Bug#319398; Package libapache-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Stephen Gildea <gildea@stop.mail-abuse.org>:
New Bug report received and forwarded. Copy sent to Adam Conrad <adconrad@0c3.net>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache-mod-php4
Version: 4:4.3.10-15
Tags: patch
The default Debian /etc/apache/conf.d/php4.conf should use a Files
directive to deny access to files that probably shouldn't have been
placed in the web tree to begin with.
I recognize that with a properly-configured site this step would be
unnecessary, but I've seen too many PHP-based packages that install all
files under the web document root, whether they are intended to be
visible from the web or not. This patch protects sites that are running
such packages.
The *.tpl pattern in the patch catches template files for phpBB, Smarty,
etc.
< Stephen
*** php4-4.3.10/debian/libapache-mod-php4.conf Thu Jul 21 00:12:37 2005
--- debian/libapache-mod-php4.conf Thu Jul 21 00:21:36 2005
***************
*** 1,4 ****
--- 1,12 ----
<IfModule mod_php4.c>
AddType application/x-httpd-php .php .phtml .php3
AddType application/x-httpd-php-source .phps
+
+ # Files with these names should not be installed under
+ # DocumentRoot, but just in case, deny access to them.
+ <Files ~ "\.ini$|\.inc$|\.tpl$">
+ Order allow,deny
+ Deny from all
+ </Files>
+
</IfModule>
*** php4-4.3.10/debian/libapache2-mod-php4.conf Thu Jul 21 00:12:37 2005
--- debian/libapache2-mod-php4.conf Thu Jul 21 00:22:31 2005
***************
*** 1,4 ****
--- 1,12 ----
<IfModule mod_php4.c>
AddType application/x-httpd-php .php .phtml .php3
AddType application/x-httpd-php-source .phps
+
+ # Files with these names should not be installed under
+ # DocumentRoot, but just in case, deny access to them.
+ <Files ~ "\.ini$|\.inc$|\.tpl$">
+ Order allow,deny
+ Deny from all
+ </Files>
+
</IfModule>
Message sent on to Stephen Gildea <gildea@stop.mail-abuse.org>:
Bug#319398.
(full text, mbox, link).
Message #8 received at 319398-submitter@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package php4
tags 319398 +wontfix
severity 319398 wishlist
thank you
This hint should propably go to README.Debian or such file, but I don't
consider appropriate for us to make workaround for every braindead php
application around.
Ondrej.
--
Ondřej Surý <ondrej@sury.org> http://blog.rfc1925.org/
[signature.asc (application/pgp-signature, inline)]
Tags added: wontfix
Request was from Ondrej Sury <ondrej@sury.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `wishlist' from `normal'
Request was from Ondrej Sury <ondrej@sury.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#319398; Package libapache-mod-php4.
(full text, mbox, link).
Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #17 received at 319398@bugs.debian.org (full text, mbox, reply):
reassign 301824 libapache2-mod-php5
reassign 330419 libapache2-mod-php5
reassign 317577 libapache2-mod-php5
reassign 321460 libapache2-mod-php5
reassign 319398 libapache2-mod-php5
reassign 419714 libapache2-mod-php5
thanks
The libapache-mod-php4 package has been removed from Debian testing, unstable and
experimental. I am reassigning its bugs to the libapache2-mod-php5 package. Please
have a look at them, and close them if they don't apply to
libapache2-mod-php5 anymore.
Don't hesitate to reply to this mail if you have any question.
--
Lucas
Tags removed: patch
Request was from Raphael Geissert <atomo64@gmail.com>
to control@bugs.debian.org.
(Fri, 15 May 2009 17:03:03 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Wed, 02 Jul 2014 12:12:18 GMT) (full text, mbox, link).
Notification sent
to Stephen Gildea <gildea@stop.mail-abuse.org>:
Bug acknowledged by developer.
(Wed, 02 Jul 2014 12:12:18 GMT) (full text, mbox, link).
Message #26 received at 319398-done@bugs.debian.org (full text, mbox, reply):
As explained before we are not going to fix that. It's the
responsibility
of the application to either use sane extensions or prevent access.
No size fits all here.
O.
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 31 Jul 2014 07:34:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 03:39:57 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.