Debian Bug report logs - #639268
libapache2-mod-php5: .phar files not executed with php

version graph

Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for libapache2-mod-php5 is src:php5.

Reported by: Christian Weiske <cweiske@cweiske.de>

Date: Thu, 25 Aug 2011 13:21:21 UTC

Severity: normal

Found in version 5.3.5-1ubuntu7.2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5. (Thu, 25 Aug 2011 13:21:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Weiske <cweiske@cweiske.de>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 25 Aug 2011 13:21:24 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Weiske <cweiske@cweiske.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache2-mod-php5: .phar files not executed with php
Date: Thu, 25 Aug 2011 15:10:45 +0200
Package: libapache2-mod-php5
Version: 5.3.5-1ubuntu7.2
Severity: normal

..phar files are not executed with php when accessed through apache.

..phar is a file format to pack up whole PHP applications in a single file.

Reason for the problem is that
> /etc/apache2/mods-available/php5.conf
contains
>    <FilesMatch "\.ph(p3?|tml)$">
>        SetHandler application/x-httpd-php
>    </FilesMatch>
which does not match ".phar". The regex should be extended to
"\.ph(ar|p3?|tml)$"

-- System Information:
Debian Release: squeeze/sid
  APT prefers natty-updates
  APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-11-generic (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-php5 depends on:
ii  apache2-mpm-pref 2.2.17-1ubuntu1         Apache HTTP Server - traditional n
ii  apache2.2-common 2.2.17-1ubuntu1         Apache HTTP Server common files
ii  libbz2-1.0       1.0.5-6ubuntu1          high-quality block-sorting file co
ii  libc6            2.13-0ubuntu13          Embedded GNU C Library: Shared lib
ii  libdb4.8         4.8.30-5ubuntu2         Berkeley v4.8 Database Libraries [
ii  libmagic1        5.04-5ubuntu2           File type determination library us
ii  libpcre3         8.12-3ubuntu2           Perl 5 Compatible Regular Expressi
ii  libssl0.9.8      0.9.8o-5ubuntu1         SSL shared libraries
ii  libxml2          2.7.8.dfsg-2ubuntu0.1   GNOME XML library
ii  mime-support     3.51-1ubuntu1           MIME files 'mime.types' & 'mailcap
ii  php5-common      5.3.5-1ubuntu7.2        Common files for packages built fr
ii  tzdata           2011g-0ubuntu0.11.04    time zone and daylight-saving time
ii  ucf              3.0025+nmu1ubuntu1      Update Configuration File: preserv
ii  zlib1g           1:1.2.3.4.dfsg-3ubuntu3 compression library - runtime

Versions of packages libapache2-mod-php5 recommends:
ii  php5-cli                5.3.5-1ubuntu7.2 command-line interpreter for the p

Versions of packages libapache2-mod-php5 suggests:
ii  php-pear                5.3.5-1ubuntu7.2 PEAR - PHP Extension and Applicati

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5. (Mon, 21 Nov 2011 10:36:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to BohwaZ <bohwaz@bohwaz.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 21 Nov 2011 10:36:12 GMT) Full text and rfc822 format available.

Message #10 received at 639268@bugs.debian.org (full text, mbox):

From: BohwaZ <bohwaz@bohwaz.net>
To: 639268@bugs.debian.org
Subject: Problem from Suhosin
Date: Mon, 21 Nov 2011 11:32:49 +0100
[Message part 1 (text/plain, inline)]
The bug is from Suhosin which doesn't allow execution of phar:// URLs
(what a shame).

You need to add this to your php.ini :

suhosin.executor.include.whitelist="phar"
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5. (Sat, 15 Sep 2012 12:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Weiske <cweiske@cweiske.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 15 Sep 2012 12:21:03 GMT) Full text and rfc822 format available.

Message #15 received at 639268@bugs.debian.org (full text, mbox):

From: Christian Weiske <cweiske@cweiske.de>
To: 639268@bugs.debian.org
Subject: Re: Problem from Suhosin
Date: Sat, 15 Sep 2012 14:08:26 +0200
[Message part 1 (text/plain, inline)]
> The bug is from Suhosin which doesn't allow execution of phar:// URLs

No, this is not the issue. The issue is that apache does not even let
PHP handle the .phar file at all.

-- 
Regards/Mit freundlichen Grüßen
Christian Weiske

-=≡ Geeking around in the name of science since 1982 ≡=-
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5. (Mon, 10 Mar 2014 10:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 10 Mar 2014 10:51:05 GMT) Full text and rfc822 format available.

Message #20 received at 639268@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Christian Weiske" <cweiske@cweiske.de>, 639268@bugs.debian.org
Subject: Re: [php-maint] Bug#639268: Problem from Suhosin
Date: Mon, 10 Mar 2014 11:47:10 +0100
On Sat, September 15, 2012 13:08, Christian Weiske wrote:
>> The bug is from Suhosin which doesn't allow execution of phar:// URLs
>
> No, this is not the issue. The issue is that apache does not even let
> PHP handle the .phar file at all.

I'm missing why we would want Apache to handle the phar file directly. If
it's an archive, don't you want to download it instead of execute it in
the web server context?

Cheers,
Thijs



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5. (Mon, 17 Mar 2014 17:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Weiske <cweiske@cweiske.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Mar 2014 17:00:05 GMT) Full text and rfc822 format available.

Message #25 received at 639268@bugs.debian.org (full text, mbox):

From: Christian Weiske <cweiske@cweiske.de>
To: 639268@bugs.debian.org
Subject: [PATCH] Handle .phar (and .bz2|.gz|.zip) with PHP
Date: Mon, 17 Mar 2014 17:48:14 +0100
[Message part 1 (text/plain, inline)]
Configure apache to handle .phar, .phar.bz2, phar.gz and .phar.zip
files with the PHP module.

Resolves: #639268
---
 INSTALL                | 6 +++---
 debian/php5-cgi.conf   | 4 ++--
 debian/php5.conf       | 4 ++--
 debian/php5filter.conf | 4 ++--
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git INSTALL INSTALL
index 141e4f8..2d2abb7 100644
--- INSTALL
+++ INSTALL
@@ -462,9 +462,9 @@ LoadModule php5_module modules/libphp5.so
     SetHandler application/x-httpd-php
 </FilesMatch>
        Or,  if we wanted to
allow .php, .php2, .php3, .php4, .php5, .php6,
-       and  .phtml files to be executed as PHP, but nothing else, we'd
use
-       this:
-<FilesMatch "\.ph(p[2-6]?|tml)$">
+       .phtml,  .phar,  .phar.bz2,  phar.gz  and  .phar.zip  files
to  be
+       executed as PHP, but nothing else, we'd use this:
+<FilesMatch "\.ph(ar(|\.bz2|\.gz|\.zip)|p[2-6]?|tml)$">
     SetHandler application/x-httpd-php
 </FilesMatch>
        And  to  allow  .phps files to be handled by the php source
filter, diff --git debian/php5-cgi.conf debian/php5-cgi.conf
index 2a18b14..32d3bfa 100644
--- debian/php5-cgi.conf
+++ debian/php5-cgi.conf
@@ -5,7 +5,7 @@
 # application/x-httpd-php3                       php3
 # application/x-httpd-php4                       php4
 # application/x-httpd-php5                       php
-<FilesMatch ".+\.ph(p[345]?|t|tml)$">
+<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
     SetHandler application/x-httpd-php
 </FilesMatch>
 # application/x-httpd-php-source                 phps
@@ -18,7 +18,7 @@
     Deny from all
 </FilesMatch>
 # Deny access to files without filename (e.g. '.php')
-<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
     Order Deny,Allow
     Deny from all
 </FilesMatch>
diff --git debian/php5.conf debian/php5.conf
index 2e9772f..c70347f 100644
--- debian/php5.conf
+++ debian/php5.conf
@@ -1,4 +1,4 @@
-<FilesMatch ".+\.ph(p[345]?|t|tml)$">
+<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
     SetHandler application/x-httpd-php
 </FilesMatch>
 <FilesMatch ".+\.phps$">
@@ -10,7 +10,7 @@
     Deny from all
 </FilesMatch>
 # Deny access to files without filename (e.g. '.php')
-<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
     Order Deny,Allow
     Deny from all
 </FilesMatch>
diff --git debian/php5filter.conf debian/php5filter.conf
index 50c88b4..ce3f163 100644
--- debian/php5filter.conf
+++ debian/php5filter.conf
@@ -1,9 +1,9 @@
-<FilesMatch ".+\.ph(p3?|tml)$">
+<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p3?|tml)$">
     SetInputFilter PHP
     SetOutputFilter PHP
 </FilesMatch>
 # Deny access to files without filename (e.g. '.php')
-<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
     Order Deny,Allow
     Deny from all
 </FilesMatch>
-- 
1.8.3.2

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5. (Mon, 17 Mar 2014 17:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Mar 2014 17:09:04 GMT) Full text and rfc822 format available.

Message #30 received at 639268@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Christian Weiske" <cweiske@cweiske.de>, 639268@bugs.debian.org
Subject: Re: [php-maint] Bug#639268: [PATCH] Handle .phar (and .bz2|.gz|.zip) with PHP
Date: Mon, 17 Mar 2014 18:07:41 +0100
Hi,

Thanks, but this does not really answer my question?


Thijs

On Mon, March 17, 2014 17:48, Christian Weiske wrote:
> Configure apache to handle .phar, .phar.bz2, phar.gz and .phar.zip
> files with the PHP module.
>
> Resolves: #639268
> ---
>  INSTALL                | 6 +++---
>  debian/php5-cgi.conf   | 4 ++--
>  debian/php5.conf       | 4 ++--
>  debian/php5filter.conf | 4 ++--
>  4 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git INSTALL INSTALL
> index 141e4f8..2d2abb7 100644
> --- INSTALL
> +++ INSTALL
> @@ -462,9 +462,9 @@ LoadModule php5_module modules/libphp5.so
>      SetHandler application/x-httpd-php
>  </FilesMatch>
>         Or,  if we wanted to
> allow .php, .php2, .php3, .php4, .php5, .php6,
> -       and  .phtml files to be executed as PHP, but nothing else, we'd
> use
> -       this:
> -<FilesMatch "\.ph(p[2-6]?|tml)$">
> +       .phtml,  .phar,  .phar.bz2,  phar.gz  and  .phar.zip  files
> to  be
> +       executed as PHP, but nothing else, we'd use this:
> +<FilesMatch "\.ph(ar(|\.bz2|\.gz|\.zip)|p[2-6]?|tml)$">
>      SetHandler application/x-httpd-php
>  </FilesMatch>
>         And  to  allow  .phps files to be handled by the php source
> filter, diff --git debian/php5-cgi.conf debian/php5-cgi.conf
> index 2a18b14..32d3bfa 100644
> --- debian/php5-cgi.conf
> +++ debian/php5-cgi.conf
> @@ -5,7 +5,7 @@
>  # application/x-httpd-php3                       php3
>  # application/x-httpd-php4                       php4
>  # application/x-httpd-php5                       php
> -<FilesMatch ".+\.ph(p[345]?|t|tml)$">
> +<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
>      SetHandler application/x-httpd-php
>  </FilesMatch>
>  # application/x-httpd-php-source                 phps
> @@ -18,7 +18,7 @@
>      Deny from all
>  </FilesMatch>
>  # Deny access to files without filename (e.g. '.php')
> -<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
> +<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
>      Order Deny,Allow
>      Deny from all
>  </FilesMatch>
> diff --git debian/php5.conf debian/php5.conf
> index 2e9772f..c70347f 100644
> --- debian/php5.conf
> +++ debian/php5.conf
> @@ -1,4 +1,4 @@
> -<FilesMatch ".+\.ph(p[345]?|t|tml)$">
> +<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
>      SetHandler application/x-httpd-php
>  </FilesMatch>
>  <FilesMatch ".+\.phps$">
> @@ -10,7 +10,7 @@
>      Deny from all
>  </FilesMatch>
>  # Deny access to files without filename (e.g. '.php')
> -<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
> +<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
>      Order Deny,Allow
>      Deny from all
>  </FilesMatch>
> diff --git debian/php5filter.conf debian/php5filter.conf
> index 50c88b4..ce3f163 100644
> --- debian/php5filter.conf
> +++ debian/php5filter.conf
> @@ -1,9 +1,9 @@
> -<FilesMatch ".+\.ph(p3?|tml)$">
> +<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p3?|tml)$">
>      SetInputFilter PHP
>      SetOutputFilter PHP
>  </FilesMatch>
>  # Deny access to files without filename (e.g. '.php')
> -<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
> +<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
>      Order Deny,Allow
>      Deny from all
>  </FilesMatch>
> --
> 1.8.3.2
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5. (Mon, 17 Mar 2014 18:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Weiske <cweiske@cweiske.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 17 Mar 2014 18:18:04 GMT) Full text and rfc822 format available.

Message #35 received at 639268@bugs.debian.org (full text, mbox):

From: Christian Weiske <cweiske@cweiske.de>
To: "Thijs Kinkhorst" <thijs@debian.org>
Cc: 639268@bugs.debian.org
Subject: Re: [php-maint] Bug#639268: [PATCH] Handle .phar (and .bz2|.gz|.zip) with PHP
Date: Mon, 17 Mar 2014 19:15:09 +0100
[Message part 1 (text/plain, inline)]
Hello Thijs,


>> I'm missing why we would want Apache to handle the phar file
>> directly. If it's an archive, don't you want to download it instead
>> of execute it in the web server context?
> Thanks, but this does not really answer my question?

I didn't see your question until I read the bug, sorry.

PHAR archives can be used to distribute full web applications with all
dependencies included, so that you only have to put it in your web
server's document root and access it via your browser.

Specifically to support this, phar has a feature called "web index
file" in the phar stub[1]. It gets called whenever the phar is executed
through a HTTP request.

So it makes sense to let PHP handle phar files (and their compressed
versions) directly, without extracting them.
More information about phar can be found on [2].


[1] http://www.php.net/manual/en/phar.createdefaultstub.php
[2] http://www.php.net/manual/en/intro.phar.php

-- 
Regards/Mit freundlichen Grüßen
Christian Weiske

-=≡ Geeking around in the name of science since 1982 ≡=-
[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:30:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.