According to thumbs in #apache php files are supposed to be configured via AddHandler, not AddType. I have no idea how serious this is as I was just helping another user to get some support. [01:11] <thumbs> do NOT use AddType for php [01:11] <fajita> PHP is enabled (see http://www.php.net) with 'AddHandler application/x-httpd-php .php .phtml' (in your httpd.conf file) or See http://www.php.net/manual/en/install.unix.apache2.php) or See http://www.php.net/manual/en/install.unix.apache.php) (disregard their use of AddType, See 'AddType') [01:11] <thumbs> AddHandler application/x-httpd-php .php .phtml Reproducible: Always
Uhm, the upstream documentation you've linked here [1] explicitely uses AddType, and as it works just fine, it's not going to change. Reopen with more information if you have problems with this, meanwhile WORKSFORME. [1] http://www.php.net/manual/en/install.unix.apache2.php)
I appreciate that the php docs explicitly use PHP that's why the #apache people said: "disregard their use of AddType, See 'AddType'" Honestly Jakub are you sleeping or what ;) Sorry, know you're stressed with loads of bugs. And like I said, this isn't affecting me, so fix it, don't fix it, I don't really care. I just thought it'd be wise for gentoo to follow best practise as advised by the apache bods.
As said, if you have problems, then post info about your problems and we'll look into it. We are not changing ebuilds which work fine just because someone on IRC told you that they are wrong for unspecified reason.
And as I have twice said, this doesn't affect me. Are you saying that this is *not* the recommended course of action for apache software? If so, I haven't read it in your comments, and frankly I think it a little unprofessional (not in the paid sense, mind) simply to focus on the "gentoo way" (meaning your process) rather than the quality of the software. Kindly note that I have not once changed your supposed resolution of this issue.
Well, if noone has a problem with this, then I fail to see the point of this bug. Switching to AddHandler would make it impossible for users to use RemoveType if they need it. Enough here, not changing this.
Um, according to apache folks: mod_security will fail to see php requests as 'dynamic' is php is incorrectly configured as a type rather than a handler. AddType is for client-side, AddHandler for the server. The use of AddType is apparently a hack that, yes, works since mod_php is coded to detect. It is not however the correct method. AddHandler is, which has been around since 1996. To show that this isn't just "someone on IRC" please check: http://wooga.drbacchus.com/why-we-dont-like-php http://www.devside.net/articles/php
Need to take a closer look at this one. Best regards, CHTEKK.
s/AddType/AddHandler/g bosh! (yes; that means close this bug please, pref. RESO/FIXE ;) (and btw there is a RemoveHandler, you grumpy..*plop*! ;P)
The upstream documentation has been amended to reflect this recommendation. Would be a good idea to get the ebuild up to date. Posting patch. http://uk2.php.net/manual/en/install.unix.apache2.php
Created attachment 177518 [details, diff] Use SetHandler rather than misleading AddType
Thanks for the patch and bump, Jamie. > The upstream documentation has been amended to reflect this recommendation. "Instead of only using the Apache AddType directive, we want to avoid potentially dangerous uploads and created files such as exploit.php.jpg from being executed as PHP." CC:ing security.
Created attachment 177638 [details, diff] 70_mod_php5.conf-apache2.patch I think it'd be cleaner if it used mime.c where possible, so we don't force the regex search when we have mime handling loaded. See attached for php4 and 5 (untested, I haven't run apache for _ages_)
Crikey, there's a _tonne_ of people watching security (doh!) so removing. Sorry for spam people.
Created attachment 177648 [details, diff] 70_mod_php.conf-apache2.patch for PHP4; perhaps we should be thinking about changing the name to 70_mod_php4.conf-apache2 and taking the 5 off the newer one? Not sure how tricky that is.
php 4 is out of the tree, so that conf should perhaps be removed altogether.
Please keep security@ in CC if you suspect a security issue. The people watching the alias have decided to do so themselves and are used to some amount of bugmail. Regarding the issue: Can you elaborate how AddType opens a security issue whereas AddHandler does not? Reading the mod_mime documentation, I understand that both allow for multiple filename extensions and will prefer the one associated with a handler. Regarding the patch in attachment 177648 [details, diff]: The regular expression "\.ph(p[3-6]?|html)$" matches .phhtml instead of .phtml, which is probably not intended.
I could reproduce this result: Using AddType: * moo.php.gif is not executed * moo.php.something is executed Using AddHandler * moo.php.gif is executed * moo.php.something is executed What am I missing here? The PHP documentation claims the opposite.
Comment on attachment 177518 [details, diff] Use SetHandler rather than misleading AddType ><HTML><HEAD/><BODY><PRE>--- /usr/portage/dev-lang/php/files/70_mod_php5.conf-apache2 2008-01-31 16:35:34.000000000 +0000 >+++ /usr/local/portage/dev-lang/php/files/70_mod_php5.conf-apache2 2009-01-05 23:19:17.000000000 +0000 >@@ -5,14 +5,13 @@ > </IfModule> > > # Set it to handle the files >- <IfModule mod_mime.c> >- AddType application/x-httpd-php .php >- AddType application/x-httpd-php .phtml >- AddType application/x-httpd-php .php3 >- AddType application/x-httpd-php .php4 >- AddType application/x-httpd-php .php5 >- AddType application/x-httpd-php-source .phps >- </IfModule> >+ <FilesMatch "\.ph(p[2-6]?|tml)$"> >+ SetHandler application/x-httpd-php >+ </FilesMatch> >+ >+ <FilesMatch "\.phps"> >+ SetHandler application/x-httpd-php-source >+ </FilesMatch> > > DirectoryIndex index.php index.phtml > </IfDefine> ></PRE></BODY></HTML>
> Using AddType: > * moo.php.gif is not executed Perhaps mime module is kicking in choosing .gif so not executing. > > What am I missing here? The PHP documentation claims the opposite. > They should all execute, AddHandler is just more correct. I am not sure why security is CC'ed in, however I support there is potential risk of php getting executed on certain file uploads because the file extension does not get fully checked (as you proved with .php.something executing) . The patch checks the extension properly.
Also, you are correct with the regex ... it should be: <FilesMatch "\.ph(p[2-6]?|tml)$"> (Bugzilla edit file didn't seem to work so well)
As you pointed out as well, neither of the two Add* commands provides any protection from attackers who can upload files to your web server. The only protection is sanitizing/generating the file name or removing Handlers (and Types, whatever you introduced) via .htaccess -- a lack of both of these would be considered a security issue in the application that allows those file uploads. I can agree with the design POV of using AddHandler instead of AddType, but I have no clue as to why PHP upstream claims a security impact.
Thanks to all of the commenters. I have added an improved config in php-5.2.8-r2. We're mainly using the example from upstream with <FilesMatch>, but with an adapted regexp (I don't want to cause behavior changes just by changing the configs). Stabling is handled in bug 249703. As to the security impact: I don't consider this to be an issue in PHP, but it's certainly a less than optimal default currently, which should be better with -r2 now. The regexp matching should ensure that only files ending with .php (and .php5, .phtml) are indeed handled by PHP, and not arbitrary files, which just accidently happen to contain a ".php" somewhere in the name.
