Debian Bug report logs - #674205
php5-common: possible improvement for the Apache PHP/CGI documentation

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5-common: possible improvement for the Apache PHP/CGI documentation

Date: Wed, 23 May 2012 22:24:23 +0200

Package: php5-common
Version: 5.4.3-5
Severity: wishlist


Hi.

Currently, README.Debian documents the setup of CGI with Apache like this:
     <IfModule mod_actions.c>
       ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
       Action php5-cgi /cgi-bin/php5-cgi
       AddHandler php5-cgi .php
     </IfModule>


May I suggest to change it to:
-------------------------------------------------------
#Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
RemoveType php
<Files ?*.php>
        AddType application/x-httpd-php php
</Files>

ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
Action php5-cgi /cgi-bin/php5-cgi
-------------------------------------------------------


Motivation:
- Conditionally including (<IfModule mod_actions.c>) can be dangerous:
  If modaction is not loaded, no handler is set and any .php files will be served
  as normal files.
  While it's certainly a bad idea to rely on the php files being secret, many still have
  the bad habbit of storing sensitive information in them.

- AddHandler php5-cgi .php alone makes that any file that has the "php" extension at any
  place, e.g. also example.php.jpeg being interpreted by php, which can lead to the usual
  security attacks.
  Putting that in a <Files ?*.php> block, prevents this and only files ending in ".php"
  (which excludes the file ".php" itself) will be interpreted.

- The "RemoveType php" removes any previous possible mappings that may also affect the
  "middle extensions".
  The current /etc/mime.types file in Debian does not longer set a MIME type for PHP so
  with that one it's not a problem,... but IMHO that should return to mime.types as it's
  not the business of that file to secure the strange extensions handling from apache.

- I personally prefer setting a MIME type instead of a handler... which has the advantage
  that if one really want's to serve (and not interpret) .php files... the definition is
  then already in place :)



Cheers,
Chris.

Message #10 received at 674205@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: 674205@bugs.debian.org

Subject: php5-common: possible improvement for the Apache PHP/CGI documentation

Date: Wed, 01 Aug 2012 02:08:51 +0200

[Message part 1 (text/plain, inline)]

severity 674205 critical
block 674089 674205
affects
stop

Hi.

Increasing severity to critical, because this is touched / very
important ... with respect to recent changes in the mime-types
package,... which basically break all use of PHP in Debian (in
wheezy)... and will even lead to disclosure of all PHP source files
served by webservers in the usual case.

There is a bug dealing with the backgrounds at: #674089

I guess both, CGI and mod_php are affected by this but I haven't checked
for the later, as it's security-wise... "problematic", which is why I
never use it.



The short story is, that the php mime-type was removed from mime-types.
At least those Apache/PHP installations using CGI, will then loose the
handler on these files, which makes them just served as plain text
files.
This breaks unrelated software (all those using php) and is a security
problem.



See the aforementioned bug for what I suggest to do now.
Basically:
1) Add a NEWS item entry, that these mime types were removed
from /etc/mime.types and what this could mean.
Possibly linking to the above bug.


2) Add documentation for the end-users, how they should (safely) enable
PHP.

For CGI this would be the above (with a corrected mistake):
-------------------------------------------------------
#Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
RemoveType php
<Files ?*.php>
        AddType application/x-php php
</Files>

ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
Action application/x-php /cgi-bin/php5-cgi
-------------------------------------------------------
plus the note, that one SHOULD limit AT LEAST the ScriptAlias and
Actionto _only_ such <Directory> blocks, where php files to be
interpreted reside.

Above I used "application/x-php" no longer the
"application/x-httpd-php".


May I point out again that it's rather important to really re-do the:
RemoveType php
<Files ?*.php>
        AddType application/x-php php
</Files>

in Apache, even if we should add
application/x-php php
back to mime-types.

This is because by only that, apache would also interpret files like:
evil-virus.php.jpeg as PHP.



Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #15 received at 674205@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Christoph Anton Mitterer <calestyo@scientia.net>, 674205@bugs.debian.org

Subject: Re: [php-maint] Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation

Date: Mon, 6 Aug 2012 12:49:04 +0200

You forgot to cc control@bugs.debian.org which is in fact a good
thing, because this is by no means a critical bug.

The issue is only in the README file which also clearly states
(together with hint to use php5-fpm):

  In 99% of cases, what you probably want isn't php5-cgi package at
  all, but rather the libapache2-mod-php5 package, which will
  configure itself on installation and Just Work(tm). If, however, you
  have a need to use the CGI version of PHP 5 with Apache HTTP Server,
  the following should help get you going, ***though there are dozens of
  different ways to do this.***

O.

On Wed, Aug 1, 2012 at 2:08 AM, Christoph Anton Mitterer
<calestyo@scientia.net> wrote:
> I guess both, CGI and mod_php are affected by this but I haven't checked
> for the later, as it's security-wise... "problematic", which is why I
> never use it.

If you want to report a bug, you probably should at least check the
parts your report is about. And no, mod_php is not affected.

> See the aforementioned bug for what I suggest to do now.
> Basically:
> 1) Add a NEWS item entry, that these mime types were removed
> from /etc/mime.types and what this could mean.
> Possibly linking to the above bug.

Release notes addressed from mime-support is fine.

> 2) Add documentation for the end-users, how they should (safely) enable
> PHP.
>
> For CGI this would be the above (with a corrected mistake):
> -------------------------------------------------------
> #Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
> RemoveType php

I am not going to add this.  If you have a previous mapping somewhere
else, it's your problem.

> <Files ?*.php>
>         AddType application/x-php php
> </Files>

This is a good idea.

> ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
> Action application/x-php /cgi-bin/php5-cgi
> -------------------------------------------------------
> plus the note, that one SHOULD limit AT LEAST the ScriptAlias and
> Actionto _only_ such <Directory> blocks, where php files to be
> interpreted reside.

Again this is just a quick&dirty README and not PHP manual, but I have
added a reference to CGI Security section in PHP manual.

O.
-- 
Ondřej Surý <ondrej@sury.org>

Message #20 received at 674205-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 674205-close@bugs.debian.org

Subject: Bug#674205: fixed in php5 5.4.4-4

Date: Mon, 06 Aug 2012 12:17:43 +0000

Source: php5
Source-Version: 5.4.4-4

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 674205@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Aug 2012 13:01:42 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-fpm libphp5-embed php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-mysqlnd php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.4.4-4
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 libphp5-embed - HTML-embedded scripting language (Embedded SAPI library)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-fpm   - server-side, HTML-embedded scripting language (FPM-CGI binary)
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-mysqlnd - MySQL module for php5 (Native Driver)
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 674205 683274
Changes: 
 php5 (5.4.4-4) unstable; urgency=low
 .
   * Fix php5-fpm segfault (PHP#62205)
   * CVE-2012-2688: potential overflow in _php_stream_scandir
     (Closes: #683274)
   * Improve security in CGI section in README.Debian (Closes: #674205)
Checksums-Sha1: 
 a95e80d4d01a868ab915de7db523910a42b34c26 3706 php5_5.4.4-4.dsc
 fb3327a3b0c23c0e6f88c32d891bd1b28ada7c40 182530 php5_5.4.4-4.diff.gz
 4e8df0ad75c3ad2a18bcadcc8c2c3736ca9ee6cf 582546 php5-common_5.4.4-4_amd64.deb
 66825a29d8ca01f2d24826b752c403fda7d9483f 2663634 libapache2-mod-php5_5.4.4-4_amd64.deb
 3e5f9a6f1f8c968bf1dbc20733d5e2db587d3518 2662600 libapache2-mod-php5filter_5.4.4-4_amd64.deb
 80751bbb83f993ec0ba5b2ecd31307b969a51a8c 5096800 php5-cgi_5.4.4-4_amd64.deb
 d1836b1cee35880781f1d146e2144f93edfa4907 2556334 php5-cli_5.4.4-4_amd64.deb
 f6078a81dd07f2416d9ab27d4caf61e1569e2a7d 2587820 php5-fpm_5.4.4-4_amd64.deb
 26415b954eea3f3287a4d964387916ab955aedba 2661340 libphp5-embed_5.4.4-4_amd64.deb
 b8825bfcc076e115ef9443242fda71a73cb1b5e1 497742 php5-dev_5.4.4-4_amd64.deb
 82ed171163e9b7606ad2cc6b1b49e7f3c157eb19 15952984 php5-dbg_5.4.4-4_amd64.deb
 83f8ed7fae788bafbca3656fd1d8df56db2799bd 29056 php5-curl_5.4.4-4_amd64.deb
 293f3aa4e5fc6303fdc23c8565bfcb47d2261b97 9906 php5-enchant_5.4.4-4_amd64.deb
 e7b0704863cf4d933b07cc0aca49b19478a7c931 35684 php5-gd_5.4.4-4_amd64.deb
 fea44bb87d4f62208a40e953c7fa8329c78eb5b2 17136 php5-gmp_5.4.4-4_amd64.deb
 315d98dc3678dbc9527a99ff383a484b6d96b774 35580 php5-imap_5.4.4-4_amd64.deb
 83853043efa57bedfe45740886f617bde8cd4f94 49586 php5-interbase_5.4.4-4_amd64.deb
 f0f3b2f217a3173f5991c540f7f646d234166856 71884 php5-intl_5.4.4-4_amd64.deb
 56458e4916c76a574039457a9cbe438379fec4d2 21732 php5-ldap_5.4.4-4_amd64.deb
 9dff715cc16347c9dda84f42629ef3b974fa756b 16060 php5-mcrypt_5.4.4-4_amd64.deb
 a98ed2a6d62f832d484118d684d6599df61ec4d8 80838 php5-mysql_5.4.4-4_amd64.deb
 aef5dd9964368335066961712f6ffb7e6c87e3b8 162360 php5-mysqlnd_5.4.4-4_amd64.deb
 fb6755d795f893ca4c72717caeb6e97d6b3c2460 36644 php5-odbc_5.4.4-4_amd64.deb
 143d37853e65a2fd5b688705a3f679c38ed5fb9f 61444 php5-pgsql_5.4.4-4_amd64.deb
 d8a678203138da59fc41ecd8c72227200c40fd24 8888 php5-pspell_5.4.4-4_amd64.deb
 3fe6e3c820cdf4970ed66b01cff0801bc82f1d5a 5186 php5-recode_5.4.4-4_amd64.deb
 a2c8e6b7184410354a194a1bd87ed4812aced67b 21792 php5-snmp_5.4.4-4_amd64.deb
 5a979d8ec90550fc0883892dc4757dd38a7b81a3 30326 php5-sqlite_5.4.4-4_amd64.deb
 e74425deb1df56c2e1d3abf93b166dce64cf826f 28162 php5-sybase_5.4.4-4_amd64.deb
 7d105413bb26f637d675fd680e9d2b891608fb80 19578 php5-tidy_5.4.4-4_amd64.deb
 bfde58b5911f9da202644b1e382759e36f96e320 36260 php5-xmlrpc_5.4.4-4_amd64.deb
 311f9af677567905b591113968c55dbe3ad15d2b 15396 php5-xsl_5.4.4-4_amd64.deb
 be4cf2d63f05edcae60f739e736d75bd6ad6b509 1016 php5_5.4.4-4_all.deb
 c354afdad6714d7553a95805824b36be39bba8c5 367330 php-pear_5.4.4-4_all.deb
Checksums-Sha256: 
 ac437197ed7e9bd7eee0961179f9337c28d0a6b7abedb557bfdb71de377ef4a0 3706 php5_5.4.4-4.dsc
 1fa65941d3355ffaa2c018b3d2870fe6a6f9f621f2131ff612d153004f53c6f0 182530 php5_5.4.4-4.diff.gz
 ce31561366b7cf0375495b605cad90b16944abee10c74113324808a6a6d07241 582546 php5-common_5.4.4-4_amd64.deb
 4da5ea5bce98664b7a0784cfa17e057f3e85e5ba198696a0f165e431a537edbd 2663634 libapache2-mod-php5_5.4.4-4_amd64.deb
 e77749ce77613103b5d3d684db831d918a78d32076dbb1c286eed3112637baa8 2662600 libapache2-mod-php5filter_5.4.4-4_amd64.deb
 c0a798a7903c43c754f9fe31c80d64265935e0ae1e1569d0d956a599d9a5d735 5096800 php5-cgi_5.4.4-4_amd64.deb
 3c3b0fb3ec8b6bbe55916cfe7b3ad0896c84650ca215bbea15bfc2c0c62581fe 2556334 php5-cli_5.4.4-4_amd64.deb
 1455a264535c6d51989eaaa3b688f3eca7d7e2d5e663c8468307e373b5933f15 2587820 php5-fpm_5.4.4-4_amd64.deb
 78af5f8b769f2213862681c917c5b053dd576724b3faa4e15d93784510aac246 2661340 libphp5-embed_5.4.4-4_amd64.deb
 a156b809272e44d649eb468921de402caa174a75dd9e6f77aac75fdaec013bc1 497742 php5-dev_5.4.4-4_amd64.deb
 5ebd9bbcd47163f31990dea0349147e88382f9aba0d0b45f875c6cb4e6d47ebb 15952984 php5-dbg_5.4.4-4_amd64.deb
 cee5d5769863a977210fa196a2f7e5eb476a3fa54407bd6a2db4f06fe02d80cb 29056 php5-curl_5.4.4-4_amd64.deb
 74a7aa723290af29fe97aba5c0b1e43ac3a2024afe875da441b72f2aace23afd 9906 php5-enchant_5.4.4-4_amd64.deb
 10d5374d464199e981075e7791ae3676bc438b7e189b59f70173a295d9bb76ef 35684 php5-gd_5.4.4-4_amd64.deb
 b25fb93cd1c737f1803b0853912d0d9783747af4fae96aced5d5e6fb2126b413 17136 php5-gmp_5.4.4-4_amd64.deb
 c6b8728421c0dda7efdc220168a67c199196970cff421f8bbbf841cfd13fea00 35580 php5-imap_5.4.4-4_amd64.deb
 90ab3b4707861f11000a58b7c64c8a7e1c37aa8c9c50ffea9e29f5542bd0b5f3 49586 php5-interbase_5.4.4-4_amd64.deb
 e95bc94ef4cd88ab4ec83b310ac638d8d66ea6728894fa205d517b7372cba277 71884 php5-intl_5.4.4-4_amd64.deb
 6de8e654e63733bb497c2ebe91a4a4a7dd0c5b2df72d70b3956763ac16585cca 21732 php5-ldap_5.4.4-4_amd64.deb
 14768a55c3745cf683ad8ac34ed32c29ae2e7bce13e20d30307a1f078447d860 16060 php5-mcrypt_5.4.4-4_amd64.deb
 9a8e3b3247cc4944c4fc7fac9d1f9bfc5aa2f29008e4114c9b7c39382860efbc 80838 php5-mysql_5.4.4-4_amd64.deb
 7fa580bf3d0499b5e4d4f12c5d8920a241ad68163e6959ba003bdcceadb8cfe3 162360 php5-mysqlnd_5.4.4-4_amd64.deb
 ec2e828361c93da438c529308109cb76f65c5d4cfe6feb29c93d37aa5b0f2041 36644 php5-odbc_5.4.4-4_amd64.deb
 cc69198adedfecdda4379c3ab21cf753df6d50f18c8607cb1bf50b5a17798122 61444 php5-pgsql_5.4.4-4_amd64.deb
 d7c6eb7e771dc9cf514483e1ee87d338a42e9afa6c264711f0cecb3e24628db3 8888 php5-pspell_5.4.4-4_amd64.deb
 d7841f01953ae71329db9c05f3a709170db2e52431b9a7c95595da74d1e49a7c 5186 php5-recode_5.4.4-4_amd64.deb
 5bb8a293d7edb04de3f8630dd8f2984df184afa9b8d35e7d38273b2e67a68b69 21792 php5-snmp_5.4.4-4_amd64.deb
 3dd1ce34650c0f2fa1f1f2ce6c768d35f0582299247feb0c7e2d1a81fdd6da31 30326 php5-sqlite_5.4.4-4_amd64.deb
 033daded7da409c3148c9571e55a89eae0515b50f4914ea0289f378781d31cf9 28162 php5-sybase_5.4.4-4_amd64.deb
 829a3a357e6bae58e2595cc94daf5da51b3e32a2d3def327aeced0655e5a4afc 19578 php5-tidy_5.4.4-4_amd64.deb
 570f9336b81556cfe6aa1b3c967bd1b94ff89bf1a5fe5df3768385ff20e9f880 36260 php5-xmlrpc_5.4.4-4_amd64.deb
 57ae8a35d34c26fdbabbf3eb60374931e047bdf8801caef62f0c0bd8530c46af 15396 php5-xsl_5.4.4-4_amd64.deb
 db05e3ab0eebf34e6907f33d0ae3d4666ba201aafd2c3ac877a4f6afec621604 1016 php5_5.4.4-4_all.deb
 4a9aa4bacc25196a424ef41b579055b3a940a71fccbba607750cc27303998e28 367330 php-pear_5.4.4-4_all.deb
Files: 
 5c7b7e51ad7c6493824fcee260fdb7a9 3706 php optional php5_5.4.4-4.dsc
 550078251ab0e67da9132c20011053d7 182530 php optional php5_5.4.4-4.diff.gz
 4ce59141ff131037422d48bfb0fc4633 582546 php optional php5-common_5.4.4-4_amd64.deb
 f34a03c271c5125a226e48bec86a0212 2663634 httpd optional libapache2-mod-php5_5.4.4-4_amd64.deb
 1b3e5ac288d8e76c8b683dc34f1bfc46 2662600 httpd extra libapache2-mod-php5filter_5.4.4-4_amd64.deb
 ed692702fe527026cec7611649787759 5096800 php optional php5-cgi_5.4.4-4_amd64.deb
 730ffe83735e68f5d461ba7da13b0a59 2556334 php optional php5-cli_5.4.4-4_amd64.deb
 4babe7d74b6814299a4835457ef0ac52 2587820 php optional php5-fpm_5.4.4-4_amd64.deb
 8439865ece65a6691ef201c938c4fc5c 2661340 php optional libphp5-embed_5.4.4-4_amd64.deb
 179cd0cdd4c98b6a28cb9e82f0a0a51e 497742 php optional php5-dev_5.4.4-4_amd64.deb
 6b5f90107139643909c71f3261e37e62 15952984 debug extra php5-dbg_5.4.4-4_amd64.deb
 428477041dc8bd1b3582700ed00e2c96 29056 php optional php5-curl_5.4.4-4_amd64.deb
 2cf2e62b110bb6a981fbf2a0e6baaf51 9906 php optional php5-enchant_5.4.4-4_amd64.deb
 bb402def3620158b1e0642c27ee76681 35684 php optional php5-gd_5.4.4-4_amd64.deb
 7625a94a203954e5fe9bc26af113f6a9 17136 php optional php5-gmp_5.4.4-4_amd64.deb
 e85ee0219bcf81d6fa8ab3747f5bc8b5 35580 php optional php5-imap_5.4.4-4_amd64.deb
 049b01deb8823d070d0c35df0f6e57f0 49586 php optional php5-interbase_5.4.4-4_amd64.deb
 123f0ed72a50ae38f35b2dea2970fed5 71884 php optional php5-intl_5.4.4-4_amd64.deb
 be80a479676bd8cbbd594ec604baa1c4 21732 php optional php5-ldap_5.4.4-4_amd64.deb
 e7404ea246500b3f20b64df4b277c34d 16060 php optional php5-mcrypt_5.4.4-4_amd64.deb
 e29caa33999635c5989e440c9505c1b8 80838 php optional php5-mysql_5.4.4-4_amd64.deb
 03555fca04d7ef573a6c1c122c5fc71a 162360 php extra php5-mysqlnd_5.4.4-4_amd64.deb
 36b18b0eee99dbd76a043b1d89b92fe1 36644 php optional php5-odbc_5.4.4-4_amd64.deb
 f17a3387cd4d45d64288ca0fc9c79849 61444 php optional php5-pgsql_5.4.4-4_amd64.deb
 cc63fe08ae6ec06d93d5d9618fffc1ec 8888 php optional php5-pspell_5.4.4-4_amd64.deb
 7ce67c70ee0ea82018ebbef0ff1d5d3f 5186 php optional php5-recode_5.4.4-4_amd64.deb
 f13a3b0664c92057269f866930f95c31 21792 php optional php5-snmp_5.4.4-4_amd64.deb
 61f414c9147063e30718eca6190f444c 30326 php optional php5-sqlite_5.4.4-4_amd64.deb
 960e9344c2452a095e23d3f9bbe1b381 28162 php optional php5-sybase_5.4.4-4_amd64.deb
 ff9bbd533f529b3a1066fa294d5f109e 19578 php optional php5-tidy_5.4.4-4_amd64.deb
 0e76d1a741837850e0aece698c805f8c 36260 php optional php5-xmlrpc_5.4.4-4_amd64.deb
 0712f6c9a37f8ef9c438a818374676aa 15396 php optional php5-xsl_5.4.4-4_amd64.deb
 d666a09d15b03fd1a58aac0f32f27c63 1016 php optional php5_5.4.4-4_all.deb
 a01500f12ae5f78c07e39aec12fdc2e7 367330 php optional php-pear_5.4.4-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlAfs00ACgkQ9OZqfMIN8nPxQQCfYjZreK7jBKOVuGDeZ+/phcQK
4ZQAn0pd9IkJfhglO6bdgUZ9cHqLhrK2
=gA4t
-----END PGP SIGNATURE-----

Message #25 received at 674205@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: 674205@bugs.debian.org

Subject: Re: [php-maint] Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation

Date: Mon, 13 Aug 2012 01:26:43 +0200

[Message part 1 (text/plain, inline)]

Ok let me see...



On Mon, 2012-08-06 at 12:49 +0200, Ondřej Surý wrote:
> You forgot to cc control@bugs.debian.org
Oops...

> because this is by no means a critical bug.
Well I guess it should be quite obvious that it became one:
Even if you're quote from below (about people should use mod-php5) would
be a good advise, we offer our users the -cgi package AND we tell them
how to configure it.
Now how we told them to do, was kinda flawed, for the reasons I've
already laid out before (the foo.php.jpeg issue, for example)... and
things got worse when the mime-type package dropped the type for php.
As a consequence, no php files were interpreted anymore but (even worse)
just served.
The former is a "breaks unrelated software", the later is a security
issue, as people rely on the php files not being served; which is
arguably bad style and security by obscurity, but nevertheless real
world.

And there's absolutly no reason to take the above (or any other of my
comments) personally or offensive.
The same applies when I (in the past) said that PHP itself has security
issues. This is not meant against you, but I guess it can be easily
shown that we see quite often CVEs... and all I want is to emphasize how
it can be secured as much as possible (therefore also my position
regarding the suhosin discussion).
I like your, Ondřej, and that of the other Debian PHP maintainers
efforts,... but it's unfortunate if such an issue is not considered
critical, just because it's not the usual kind of buffer overrun /
remote code exploit hole.
I think it's clear that a chain thing of bad things happened for this to
occur, including the weird way how Apache handles this.

Nevertheless... :)




> The issue is only in the README file which also clearly states
> (together with hint to use php5-fpm):
> 
>   In 99% of cases, what you probably want isn't php5-cgi package at
>   all, but rather the libapache2-mod-php5 package, which will
>   configure itself on installation and Just Work(tm). If, however, you
>   have a need to use the CGI version of PHP 5 with Apache HTTP Server,
>   the following should help get you going, ***though there are dozens of
>   different ways to do this.***
Well I think that hint is at best questionable and in reality likely actually dangerous.
I know this is also to some extent the position of PHP upstream, but I
guess less because of real technical reasons and more because of that
they want easy out-of-the-box setups.
But it should be quite clear, that mighty systems like PHP must be fully
understood to really maintain them in a secure manner.

The mod-php5 is surely faster than normal CGI, but not much (if at all)
faster than operation with FastCGI.
And from a security (and stability) point of view it's a night mare,
given that it not only runs in the user context of the webserver, but
already really in the webserver (=> stability).
Especially that sites easily host more than one PHP program, which, as a
consequence, all rund as www-data should prevent any careful
administrator from sleeping.

But that's just my 0.02€ on that matter... so back to the actual bug. :)




> If you want to report a bug, you probably should at least check the
> parts your report is about. And no, mod_php is not affected.
As I wrote, I haven't looked that up... and AFAIU mod_php by itself IS
actually affected, as it also needs some handler/action or similar
definition that typically goes by file extension.
It's just Debian's mod_php package that is secure, as it ships an
already (largely) secure .conf snippet.

But, dear Ondřej, a few words on that:
a) You're using <FilesMatch> (in an already quite secure way! :) ) ...
you you really insist on keeping that (more below) please modify it as
follows:
- Add "?:" to the pattern "(p3?|tml)"... i.e. make (?:p3?|tml).
This as now effect on the pattern, it just disables the subpattern
variables (i.e. $1, $2) which we don't use anyway... and makes it
thereby a bit faster.

- as usual, please make files like ".php" (alone) not match,...
typically these are meant as "hidden" files and not as a *.php file.
So I'd suggest to change patterns to e.g. ".+\.phps$"

b) I'd use <Files> though, as it's faster (I guess even though having
more rules) and we don't need the mightiness of PCRE matching.
So we'd get:
    <Files ?*.php>
	SetHandler application/x-httpd-php
    </Files>
    <Files ?*.php3>
	SetHandler application/x-httpd-php
    </Files>
    <Files ?*.phtml>
	SetHandler application/x-httpd-php
    </Files>
    <Files ?*.phps>
	SetHandler application/x-httpd-php-source
    </Files>

c) In any of the two cases, add:
RemoveType php php3 phtml phps

We cannot know, whether the user has made up his own definitions in
e.g. /etc/mime.types or even in Apache itself... and we should do
everything as possible to prevent him from the foo.php.evil.jpeg issue.
The RemoveType is just processed once at server start, so it really
doesn't cost us anything.


> > 1) Add a NEWS item entry, that these mime types were removed
> > from /etc/mime.types and what this could mean.
> > Possibly linking to the above bug.
> 
> Release notes addressed from mime-support is fine.

What speaks against adding it too php5-cgi, too? It's just a little
entry and save people possibly from a lot of troubles.
Especially, people are less likely to read all NEWS.Debian entries from
any normal package which is not their core business... but when you have
a site running some PHP program,.... the PHP NEWS.Debian files are
surely something that attract your attention.
If you need help, I can easily write one for you :)


> > RemoveType php
> 
> I am not going to add this.  If you have a previous mapping somewhere
> else, it's your problem.
Well,... I really don't want to start an argument here with you... but
are there any strong reasons? As said, there is no performance impact
and it should serve as good fallback security.


> > <Files ?*.php>
> >         AddType application/x-php php
> > </Files>
> This is a good idea.
Thanks :)


> > ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
> > Action application/x-php /cgi-bin/php5-cgi
> > -------------------------------------------------------
> > plus the note, that one SHOULD limit AT LEAST the ScriptAlias and
> > Actionto _only_ such <Directory> blocks, where php files to be
> > interpreted reside.
> 
> Again this is just a quick&dirty README and not PHP manual, but I have
> added a reference to CGI Security section in PHP manual.
Thanks :)


Best wishes,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #30 received at 674205@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>

To: 674205@bugs.debian.org

Subject: Re: [php-maint] Bug#674205: php5-common: possible improvement for the Apache PHP/CGI documentation

Date: Mon, 13 Aug 2012 01:31:49 +0200

[Message part 1 (text/plain, inline)]

Oh and...

On Mon, 2012-08-06 at 12:49 +0200, Ondřej Surý wrote:
> > <Files ?*.php>
> >         AddType application/x-php php
> > </Files>
> 
> This is a good idea.
> 
> > ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
> > Action application/x-php /cgi-bin/php5-cgi
> > -------------------------------------------------------
> > plus the note, that one SHOULD limit AT LEAST the ScriptAlias and
> > Actionto _only_ such <Directory> blocks, where php files to be
> > interpreted reside.
> 
> Again this is just a quick&dirty README and not PHP manual, but I have
> added a reference to CGI Security section in PHP manual.

Should the above two things already be in place? I've looked at
php5-common_5.4.4-4_amd64.deb but couldn't find them.


Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Send a report that this bug log contains spam.