This page seeks to give an overview of the problems with php, mod-fcgid and mod-fastcgi configuration in wheezy. More info is at 687307
sf: XXX: I have not tested all this info. Mostly I have only looked at config and source code.
sf: XXX: This is work in progress.
Status quo
Squeeze
- /etc/mime.types has entries like
application/x-httpd-php phtml pht php
which cause mod_php to execute all files that end with .php or have ".php." in the name if no later extension in the name is configured to correspond to a different type or handler. This means "file.php" and "file.php.foobar" get executed, but "file.php.jpg" does not. This is problematic if a site serves uploaded files. A user may then be able to execute arbitrary scripts. This is 589384 The entries in /etc/mime.types are equivalent to
AddType application/x-httpd-php phtml pht php
- in the apache config in global server scope.
- mod_php has in /etc/apache2/mods-available/php5.conf:
<FilesMatch "\.ph(p3?|tml)$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch> # To re-enable php in user directories comment the following lines # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it # prevents .htaccess files from disabling it. <IfModule mod_userdir.c> <Directory /home/*/public_html> php_admin_value engine Off </Directory> </IfModule>
- By alone, this would only cause "file.php" to be executed, but with the mime.types entries, "file.php.foobar" gets executed, too. So this is misleading.
- mod-fastcgi and mod-fcgid have in their .conf file:
AddHandler fcgid-script .fcgi
(or "... fastcgi-script ..."). In some way, this is actually worse than the php entries in mime.types: It causes to execute all files that end with .fcgi or have ".fcgi." in the name if no later extension in the name is configured to correspond to a different handler. A later extension corresponding to a different type does not help, i.e. "file.fcgi", "file.fcgi.foobar", and "file.php.jpg" all get executed. However, to mitigate this, mod-fcgid and mod-fastcgi also require "options +ExecCGI" to be set for the directory containing the script. This is by default not set globally. Without ExecCGI, mod-fcgid/fastcgi return forbidden (and do not allow the script source to be served).
Wheezy (at 2012-10-15)
The php entries have been removed from mime.types (589384).
- XXX
- mod-fastcgi and mod-fcgid are as in squeeze.
What does Apache do
Deciding if/which handler gets executed is two steps:
First it is checked which configuration sections apply to the request (depending on URL, etc.) and these sections are merged. This is described at http://httpd.apache.org/docs/2.2/sections.html#mergin . Basically the precedence is:
<Location>/<?LocationMatch> (highest)
<Files>/<?FilesMatch>
<?DirectoryMatch>
<Directory>
- none of the above (lowest)
Also the global server config and the matching <?VirtualHost> is merged with the latter having precedence. If a directive occurs multiple times in the same precedence level, the last one wins (at least for the directives interesting here).
- In the second step the config is executed and the handler and mime type info is is set. The handler is then determined by , from highest to lowes precedence: If the handler name determined in this way is not claimed by any module, the default handler is executed instead (i.e. the file is just sent without being executed as script).
Things to take into account
- XXX: cgi
- XXX: mod_action
- A common fcgi configuration seems to be
AddHandler fcgid-script php
Possible solutions
Leave at is in wheezy, add documentation
E.g. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687307#87
Pro:
- Fixes file.php.foobar problem for mod_php
Con:
- XXX
Revert to what we had in squeeze
Pro:
- We don't break updates from squeeze. For jessie, we will have apache 2.4 and people will have to adjust their configs anyway. Also maybe we can get apache 2.4 extended until then to support a sane solution.
Con:
- Will re-introduce the file.php.foobar problem for mod_php
Revert to what we had in squeze, but use non-magic types in /etc/mime.types
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687307#111
Pro:
- Keeps file.php.foobar problem for mod_php fixed
Should keep multiviews bug 670945 fixed
Con:
- Untested