Debian Bug report logs -
#639268
libapache2-mod-php7.0,php7.0-cgi: .phar files not executed with php
Reported by: Christian Weiske <cweiske@cweiske.de>
Date: Thu, 25 Aug 2011 13:21:21 UTC
Severity: normal
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5.
(Thu, 25 Aug 2011 13:21:24 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Weiske <cweiske@cweiske.de>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 25 Aug 2011 13:21:24 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-php5
Version: 5.3.5-1ubuntu7.2
Severity: normal
..phar files are not executed with php when accessed through apache.
..phar is a file format to pack up whole PHP applications in a single file.
Reason for the problem is that
> /etc/apache2/mods-available/php5.conf
contains
> <FilesMatch "\.ph(p3?|tml)$">
> SetHandler application/x-httpd-php
> </FilesMatch>
which does not match ".phar". The regex should be extended to
"\.ph(ar|p3?|tml)$"
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-11-generic (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-php5 depends on:
ii apache2-mpm-pref 2.2.17-1ubuntu1 Apache HTTP Server - traditional n
ii apache2.2-common 2.2.17-1ubuntu1 Apache HTTP Server common files
ii libbz2-1.0 1.0.5-6ubuntu1 high-quality block-sorting file co
ii libc6 2.13-0ubuntu13 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-5ubuntu2 Berkeley v4.8 Database Libraries [
ii libmagic1 5.04-5ubuntu2 File type determination library us
ii libpcre3 8.12-3ubuntu2 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8o-5ubuntu1 SSL shared libraries
ii libxml2 2.7.8.dfsg-2ubuntu0.1 GNOME XML library
ii mime-support 3.51-1ubuntu1 MIME files 'mime.types' & 'mailcap
ii php5-common 5.3.5-1ubuntu7.2 Common files for packages built fr
ii tzdata 2011g-0ubuntu0.11.04 time zone and daylight-saving time
ii ucf 3.0025+nmu1ubuntu1 Update Configuration File: preserv
ii zlib1g 1:1.2.3.4.dfsg-3ubuntu3 compression library - runtime
Versions of packages libapache2-mod-php5 recommends:
ii php5-cli 5.3.5-1ubuntu7.2 command-line interpreter for the p
Versions of packages libapache2-mod-php5 suggests:
ii php-pear 5.3.5-1ubuntu7.2 PEAR - PHP Extension and Applicati
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5.
(Mon, 21 Nov 2011 10:36:12 GMT) (full text, mbox, link).
Acknowledgement sent
to BohwaZ <bohwaz@bohwaz.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Mon, 21 Nov 2011 10:36:12 GMT) (full text, mbox, link).
Message #10 received at 639268@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The bug is from Suhosin which doesn't allow execution of phar:// URLs
(what a shame).
You need to add this to your php.ini :
suhosin.executor.include.whitelist="phar"
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5.
(Sat, 15 Sep 2012 12:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Weiske <cweiske@cweiske.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Sat, 15 Sep 2012 12:21:03 GMT) (full text, mbox, link).
Message #15 received at 639268@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> The bug is from Suhosin which doesn't allow execution of phar:// URLs
No, this is not the issue. The issue is that apache does not even let
PHP handle the .phar file at all.
--
Regards/Mit freundlichen Grüßen
Christian Weiske
-=≡ Geeking around in the name of science since 1982 ≡=-
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5.
(Mon, 10 Mar 2014 10:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Mon, 10 Mar 2014 10:51:05 GMT) (full text, mbox, link).
Message #20 received at 639268@bugs.debian.org (full text, mbox, reply):
On Sat, September 15, 2012 13:08, Christian Weiske wrote:
>> The bug is from Suhosin which doesn't allow execution of phar:// URLs
>
> No, this is not the issue. The issue is that apache does not even let
> PHP handle the .phar file at all.
I'm missing why we would want Apache to handle the phar file directly. If
it's an archive, don't you want to download it instead of execute it in
the web server context?
Cheers,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5.
(Mon, 17 Mar 2014 17:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Weiske <cweiske@cweiske.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Mon, 17 Mar 2014 17:00:05 GMT) (full text, mbox, link).
Message #25 received at 639268@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Configure apache to handle .phar, .phar.bz2, phar.gz and .phar.zip
files with the PHP module.
Resolves: #639268
---
INSTALL | 6 +++---
debian/php5-cgi.conf | 4 ++--
debian/php5.conf | 4 ++--
debian/php5filter.conf | 4 ++--
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git INSTALL INSTALL
index 141e4f8..2d2abb7 100644
--- INSTALL
+++ INSTALL
@@ -462,9 +462,9 @@ LoadModule php5_module modules/libphp5.so
SetHandler application/x-httpd-php
</FilesMatch>
Or, if we wanted to
allow .php, .php2, .php3, .php4, .php5, .php6,
- and .phtml files to be executed as PHP, but nothing else, we'd
use
- this:
-<FilesMatch "\.ph(p[2-6]?|tml)$">
+ .phtml, .phar, .phar.bz2, phar.gz and .phar.zip files
to be
+ executed as PHP, but nothing else, we'd use this:
+<FilesMatch "\.ph(ar(|\.bz2|\.gz|\.zip)|p[2-6]?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
And to allow .phps files to be handled by the php source
filter, diff --git debian/php5-cgi.conf debian/php5-cgi.conf
index 2a18b14..32d3bfa 100644
--- debian/php5-cgi.conf
+++ debian/php5-cgi.conf
@@ -5,7 +5,7 @@
# application/x-httpd-php3 php3
# application/x-httpd-php4 php4
# application/x-httpd-php5 php
-<FilesMatch ".+\.ph(p[345]?|t|tml)$">
+<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
# application/x-httpd-php-source phps
@@ -18,7 +18,7 @@
Deny from all
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
-<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
Order Deny,Allow
Deny from all
</FilesMatch>
diff --git debian/php5.conf debian/php5.conf
index 2e9772f..c70347f 100644
--- debian/php5.conf
+++ debian/php5.conf
@@ -1,4 +1,4 @@
-<FilesMatch ".+\.ph(p[345]?|t|tml)$">
+<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
@@ -10,7 +10,7 @@
Deny from all
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
-<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
Order Deny,Allow
Deny from all
</FilesMatch>
diff --git debian/php5filter.conf debian/php5filter.conf
index 50c88b4..ce3f163 100644
--- debian/php5filter.conf
+++ debian/php5filter.conf
@@ -1,9 +1,9 @@
-<FilesMatch ".+\.ph(p3?|tml)$">
+<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p3?|tml)$">
SetInputFilter PHP
SetOutputFilter PHP
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
-<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
Order Deny,Allow
Deny from all
</FilesMatch>
--
1.8.3.2
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5.
(Mon, 17 Mar 2014 17:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Mon, 17 Mar 2014 17:09:04 GMT) (full text, mbox, link).
Message #30 received at 639268@bugs.debian.org (full text, mbox, reply):
Hi,
Thanks, but this does not really answer my question?
Thijs
On Mon, March 17, 2014 17:48, Christian Weiske wrote:
> Configure apache to handle .phar, .phar.bz2, phar.gz and .phar.zip
> files with the PHP module.
>
> Resolves: #639268
> ---
> INSTALL | 6 +++---
> debian/php5-cgi.conf | 4 ++--
> debian/php5.conf | 4 ++--
> debian/php5filter.conf | 4 ++--
> 4 files changed, 9 insertions(+), 9 deletions(-)
>
> diff --git INSTALL INSTALL
> index 141e4f8..2d2abb7 100644
> --- INSTALL
> +++ INSTALL
> @@ -462,9 +462,9 @@ LoadModule php5_module modules/libphp5.so
> SetHandler application/x-httpd-php
> </FilesMatch>
> Or, if we wanted to
> allow .php, .php2, .php3, .php4, .php5, .php6,
> - and .phtml files to be executed as PHP, but nothing else, we'd
> use
> - this:
> -<FilesMatch "\.ph(p[2-6]?|tml)$">
> + .phtml, .phar, .phar.bz2, phar.gz and .phar.zip files
> to be
> + executed as PHP, but nothing else, we'd use this:
> +<FilesMatch "\.ph(ar(|\.bz2|\.gz|\.zip)|p[2-6]?|tml)$">
> SetHandler application/x-httpd-php
> </FilesMatch>
> And to allow .phps files to be handled by the php source
> filter, diff --git debian/php5-cgi.conf debian/php5-cgi.conf
> index 2a18b14..32d3bfa 100644
> --- debian/php5-cgi.conf
> +++ debian/php5-cgi.conf
> @@ -5,7 +5,7 @@
> # application/x-httpd-php3 php3
> # application/x-httpd-php4 php4
> # application/x-httpd-php5 php
> -<FilesMatch ".+\.ph(p[345]?|t|tml)$">
> +<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
> SetHandler application/x-httpd-php
> </FilesMatch>
> # application/x-httpd-php-source phps
> @@ -18,7 +18,7 @@
> Deny from all
> </FilesMatch>
> # Deny access to files without filename (e.g. '.php')
> -<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
> +<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
> Order Deny,Allow
> Deny from all
> </FilesMatch>
> diff --git debian/php5.conf debian/php5.conf
> index 2e9772f..c70347f 100644
> --- debian/php5.conf
> +++ debian/php5.conf
> @@ -1,4 +1,4 @@
> -<FilesMatch ".+\.ph(p[345]?|t|tml)$">
> +<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml)$">
> SetHandler application/x-httpd-php
> </FilesMatch>
> <FilesMatch ".+\.phps$">
> @@ -10,7 +10,7 @@
> Deny from all
> </FilesMatch>
> # Deny access to files without filename (e.g. '.php')
> -<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
> +<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
> Order Deny,Allow
> Deny from all
> </FilesMatch>
> diff --git debian/php5filter.conf debian/php5filter.conf
> index 50c88b4..ce3f163 100644
> --- debian/php5filter.conf
> +++ debian/php5filter.conf
> @@ -1,9 +1,9 @@
> -<FilesMatch ".+\.ph(p3?|tml)$">
> +<FilesMatch ".+\.ph(ar(|\.bz2|\.gz|\.zip)|p3?|tml)$">
> SetInputFilter PHP
> SetOutputFilter PHP
> </FilesMatch>
> # Deny access to files without filename (e.g. '.php')
> -<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
> +<FilesMatch "^\.ph(ar(|\.bz2|\.gz|\.zip)|p[345]?|t|tml|ps)$">
> Order Deny,Allow
> Deny from all
> </FilesMatch>
> --
> 1.8.3.2
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#639268; Package libapache2-mod-php5.
(Mon, 17 Mar 2014 18:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Weiske <cweiske@cweiske.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Mon, 17 Mar 2014 18:18:04 GMT) (full text, mbox, link).
Message #35 received at 639268@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Thijs,
>> I'm missing why we would want Apache to handle the phar file
>> directly. If it's an archive, don't you want to download it instead
>> of execute it in the web server context?
> Thanks, but this does not really answer my question?
I didn't see your question until I read the bug, sorry.
PHAR archives can be used to distribute full web applications with all
dependencies included, so that you only have to put it in your web
server's document root and access it via your browser.
Specifically to support this, phar has a feature called "web index
file" in the phar stub[1]. It gets called whenever the phar is executed
through a HTTP request.
So it makes sense to let PHP handle phar files (and their compressed
versions) directly, without extracting them.
More information about phar can be found on [2].
[1] http://www.php.net/manual/en/phar.createdefaultstub.php
[2] http://www.php.net/manual/en/intro.phar.php
--
Regards/Mit freundlichen Grüßen
Christian Weiske
-=≡ Geeking around in the name of science since 1982 ≡=-
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Fri, 13 Jan 2017 13:06:31 GMT) (full text, mbox, link).
Notification sent
to Christian Weiske <cweiske@cweiske.de>:
Bug acknowledged by developer.
(Fri, 13 Jan 2017 13:06:31 GMT) (full text, mbox, link).
Message #40 received at 639268-done@bugs.debian.org (full text, mbox, reply):
Version: 5.6.26+dfsg-1+rm
Dear submitter,
as the package php5 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/841781
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Feb 2017 07:35:35 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 04 May 2017 10:03:06 GMT) (full text, mbox, link).
No longer marked as found in versions 5.3.5-1ubuntu7.2.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 04 May 2017 10:03:06 GMT) (full text, mbox, link).
No longer marked as fixed in versions 5.6.26+dfsg-1+rm.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 04 May 2017 10:03:07 GMT) (full text, mbox, link).
Bug 639268 cloned as bug 861816
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 04 May 2017 10:03:07 GMT) (full text, mbox, link).
Changed Bug title to 'libapache2-mod-php7.0,php7.0-cgi: .phar files not executed with php' from 'libapache2-mod-php5: .phar files not executed with php'.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Thu, 04 May 2017 10:03:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 02 Jun 2017 07:26:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 02:22:03 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.