Debian Bug report logs - #589384
libapache2-mod-php5: Even with new SetHandler config, php is still activated because of mime type

version graph

Package: mime-support; Maintainer for mime-support is Mime-Support Maintainers <mime-support@plessy.org>; Source for mime-support is src:mime-support.

Reported by: Stefan Fritsch <sf@debian.org>

Date: Sat, 17 Jul 2010 08:42:10 UTC

Severity: serious

Merged with 691413

Found in version mime-support/3.44-1

Fixed in version mime-support/3.52-1

Done: Brian White <bcwhite@pobox.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#589384; Package libapache2-mod-php5. (Sat, 17 Jul 2010 08:42:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 17 Jul 2010 08:42:13 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache2-mod-php5: Even with new SetHandler config, php is still activated because of mime type
Date: Sat, 17 Jul 2010 10:41:12 +0200
Package: libapache2-mod-php5
Version: 5.2.11.dfsg.1-2
Severity: normal


Even with the new

    <FilesMatch "\.ph(p3?|tml)$">
        SetHandler application/x-httpd-php
    </FilesMatch>

config, Files named blah.php.blubb are still executed as php scripts because
they are assigned the type application/x-httpd-php in /etc/mime.types and
mod_php will execute all files of this type. This can of course be a security
problem for sites that accept uploaded files.

There are two possible remedies:
- Remove all relevant types from /etc/mime.types
- Add
	    RemoveType php phtml pht phps php3 php3p php4 php5
   to php5.conf


I am slightly in favor of the RemoveType solution (together with a comment
explaining the why). Changes to /etc/mime.types may easily be refused
on upgrade by the user (I expect the diff to be rather large).

If you think the correct fix would be to change /etc/mime.types, feel free
to reassign the bug.


NB: RemoveType works for types loaded from mime.types only since apache2
2.2.14-2 (or upstream version 2.2.15).




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#589384; Package libapache2-mod-php5. (Sat, 12 Mar 2011 00:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 12 Mar 2011 00:57:06 GMT) Full text and rfc822 format available.

Message #10 received at 589384@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: Stefan Fritsch <sf@debian.org>, 589384@bugs.debian.org
Cc: control@bugs.debian.org, mime-support@packages.debian.org
Subject: Re: [php-maint] Bug#589384: libapache2-mod-php5: Even with new SetHandler config, php is still activated because of mime type
Date: Fri, 11 Mar 2011 18:55:48 -0600
reassign 589384 mime-support 3.44-1
thanks

On 17 July 2010 03:41, Stefan Fritsch <sf@debian.org> wrote:
> [...] Files named blah.php.blubb are still executed as php scripts because
> they are assigned the type application/x-httpd-php in /etc/mime.types and
> mod_php will execute all files of this type. This can of course be a security
> problem for sites that accept uploaded files.
>
> There are two possible remedies:
> - Remove all relevant types from /etc/mime.types
> - Add
>            RemoveType php phtml pht phps php3 php3p php4 php5
>   to php5.conf
>

I somehow missed this report.

I don't think we should have to deal with side effects of changes in
mime-support. I'm therefore reassigning this report; all the x-httpd-*
entries seem incorrect to me.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




Bug reassigned from package 'libapache2-mod-php5' to 'mime-support'. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 12 Mar 2011 00:57:08 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions php5/5.2.11.dfsg.1-2. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 12 Mar 2011 00:57:08 GMT) Full text and rfc822 format available.

Bug Marked as found in versions mime-support/3.44-1. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 12 Mar 2011 00:57:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brian White <bcwhite@pobox.com>:
Bug#589384; Package mime-support. (Sat, 12 Mar 2011 07:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Brian White <bcwhite@pobox.com>. (Sat, 12 Mar 2011 07:57:02 GMT) Full text and rfc822 format available.

Message #21 received at 589384@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 589384@bugs.debian.org
Cc: control@bugs.debian.org
Subject: marking as rc for wheezy
Date: Sat, 12 Mar 2011 08:48:55 +0100
[Message part 1 (text/plain, inline)]
severity 589384 serious
thanks

Hi Brian,

I'm marking this issue as release critical for wheezy. It can lead to 
surprises in the configuration of PHP, e.g. that filename.php.jpeg is executed 
as PHP code. Although this legacy effect is considered quite well known and 
hence not a security emergency, I believe that in the interest of proactive 
security it's important to avoid such surprises and that hence Debian must fix 
this for Wheezy.

As Wheezy is still a while away I hope not to burden you too much with this 
criticality, it's just that I want to ensure it doesn't get missed in the end.


Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Severity set to 'serious' from 'normal' Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sat, 12 Mar 2011 07:57:11 GMT) Full text and rfc822 format available.

Reply sent to Brian White <bcwhite@pobox.com>:
You have taken responsibility. (Sun, 12 Feb 2012 21:12:14 GMT) Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@debian.org>:
Bug acknowledged by developer. (Sun, 12 Feb 2012 21:12:16 GMT) Full text and rfc822 format available.

Message #28 received at 589384-close@bugs.debian.org (full text, mbox):

From: Brian White <bcwhite@pobox.com>
To: 589384-close@bugs.debian.org
Subject: Bug#589384: fixed in mime-support 3.52-1
Date: Sun, 12 Feb 2012 21:09:07 +0000
Source: mime-support
Source-Version: 3.52-1

We believe that the bug you reported is fixed in the latest version of
mime-support, which is due to be installed in the Debian FTP archive:

mime-support_3.52-1.dsc
  to main/m/mime-support/mime-support_3.52-1.dsc
mime-support_3.52-1.tar.gz
  to main/m/mime-support/mime-support_3.52-1.tar.gz
mime-support_3.52-1_all.deb
  to main/m/mime-support/mime-support_3.52-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 589384@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian White <bcwhite@pobox.com> (supplier of updated mime-support package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Feb 2012 21:06:40 +0100
Source: mime-support
Binary: mime-support
Architecture: source all
Version: 3.52-1
Distribution: unstable
Urgency: low
Maintainer: Brian White <bcwhite@pobox.com>
Changed-By: Brian White <bcwhite@pobox.com>
Description: 
 mime-support - MIME files 'mime.types' & 'mailcap', and support programs
Closes: 560118 589384 594915 605250 605254 613810 619475 620372 624697 627997 639580 639822 646462 652560 658073
Changes: 
 mime-support (3.52-1) unstable; urgency=low
 .
   * removed application/x-httpd-* types (closes: 589384)
   * added numerous new mime.types (closes: 652560, 624697, 627997, 619475, 639822)
   * fixed some bad mime.types (closes: 605250, 620372, 613810)
   * added dpkg trigger support (closes: 594915)
   * obsolete bugs (closes: 560118, 605254, 639580, 646462, 658073)
Checksums-Sha1: 
 7d906ce3efb5bf90515816c387c299b25f5f0639 1344 mime-support_3.52-1.dsc
 0422a89e602f2b50d8085b771be3a1fde13ae060 31107 mime-support_3.52-1.tar.gz
 52acfca0d83d2cc241ce80f9368a5347b969e7e8 35490 mime-support_3.52-1_all.deb
Checksums-Sha256: 
 0bf2ca80a39fb3d59ec088f5868f2c0d72b6c9a9b1ab52476768755ab9d0199a 1344 mime-support_3.52-1.dsc
 78ebee71b8de0fbf606f58255b43bfda1dbc94d0e8c416e8b7f233548cf47ea4 31107 mime-support_3.52-1.tar.gz
 442b98b5b11113a9f69d8bfd99b0ef09458d4bb253aaea0781724e66e248135f 35490 mime-support_3.52-1_all.deb
Files: 
 a1495122c943daaa1282aa7cc334ba55 1344 net standard mime-support_3.52-1.dsc
 17c162f96efff3574b2ba3346484fa92 31107 net standard mime-support_3.52-1.tar.gz
 04f833f65b2f12dd4c73668877ce78aa 35490 net standard mime-support_3.52-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIVAwUBTzgb72dwixThwUKxAQIugg/+Ou/nedrLN7qxYkJQWXV8HoGnJ94Aki5A
VMI8G9oyGcqeZRWf3t6Hf+vQQEm7JMG2/WF0jy2ikivxdqUrnSDmjvzs0ONSjP9V
6kluSqYUcxW6nwHhNjFKhwCEBSAZgnDd8siyRERYg8VdPf86JDSmeN9FwXWPxXXC
hdMWbKsP+IUoTZJCrkdXmIAGBjVdyrP4Lnx56WSguBD7NY242ETocSBhbe79L5B5
yn6WVlPXsKrGTjWlk9LGHXEnf1E47sc+IyYZRjj+4X2SHStCq/MxPcoTaGw5BQvf
VfsHc5anPZ4sjEY2PF7rDJaGmj4iVM2RywpX9Qsz0hZY2wN7NZpubhMobId9KrtJ
YJcDZYZsAfPJHOnz1U4p4upss5NI7Q+LHyny/hWNvDQRdYY+U5h8K0fby9NTCUOm
OUVri3hAARP9liXmsyZeyKSkgONyy3/mzZcAAemo8oQoz+0zRf+PxCV2gN0juJwY
a7Zo9rCt3dYaJbm34JUU1pkVLJM3LGega28q1cSyu9fxu5d4n6ei6wjK8o4K9n6b
g6NNMlzLlpTKg97KoUdj6vn6qyWS5GukDN0u1iOD9uhlaMdVktOhv8p4yIezMYDj
SsT35tTQeCJy87dcLbmbsK5KMQeh8c4XorpnQnGe94iqnuOfKRfkt1LvdzQXCoKo
QbdpqX0Is3I=
=FQCB
-----END PGP SIGNATURE-----





Added indication that 589384 affects php5 Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Thu, 25 Oct 2012 13:57:12 GMT) Full text and rfc822 format available.

Merged 589384 691413 Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Thu, 25 Oct 2012 13:57:15 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:31:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:18:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.