544564 – dev-lang/php[apache2]: Uses insecure AddHandler directive (in unused file)

Bug 544564 - dev-lang/php[apache2]: Uses insecure AddHandler directive (in unused file)

Summary: dev-lang/php[apache2]: Uses insecure AddHandler directive (in unused file)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	PHP Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	544560
	Show dependency tree

Reported:	2015-03-26 15:50 UTC by Sebastian Pipping
Modified:	2015-04-05 22:18 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Pipping gentoo-dev

2015-03-26 15:50:32 UTC

I would rather not delete that file myself without review from your side.
To my understanding, it is unused and can be deleted.

# fgrep -Rl '70_mod_php5.conf-apache2' .
./ChangeLog-2012
./Manifest

The reason why I would like to have it removed is the use of AddHandler:

# fgrep -R AddHandler .
./files/70_mod_php5.conf-apache2:               AddHandler application/x-httpd-php .php .php5 .phtml
./files/70_mod_php5.conf-apache2:               AddHandler application/x-httpd-php-source .phps

Please see bug #538822 for why that is a problem.

Thank you!

Comment 1 Sebastian Pipping gentoo-dev

2015-03-26 16:28:47 UTC

Update:

I just found that my call to grep was the problem.  The file is actually still used:

  # fgrep -Rl 70_mod_php5 . | fgrep ebuild | sort
  ./php-5.3.29.ebuild
  ./php-5.4.36.ebuild
  ./php-5.4.37.ebuild
  ./php-5.4.38.ebuild
  ./php-5.4.39.ebuild
  ./php-5.5.20.ebuild
  ./php-5.5.21.ebuild
  ./php-5.5.22.ebuild
  ./php-5.5.23.ebuild
  ./php-5.6.4.ebuild
  ./php-5.6.5.ebuild
  ./php-5.6.6.ebuild
  ./php-5.6.7.ebuild

So a fix is needed rather than removal.  Please see bug #538822 for a proposed fixed.

Thank you!

Comment 2 Sebastian Pipping gentoo-dev

2015-03-27 01:22:23 UTC

I intend to fix this myself with the same fix as used for eselect-php in bug #538822.

Please object now, if you would like to take over.  Thanks.

Comment 3 Sebastian Pipping gentoo-dev

2015-04-05 21:58:15 UTC

Update once again: File files/70_mod_php5.conf-apache2 is NOT used by the ebuilds.

The previous grep matches on "70_mod_php5" are all like

  # fgrep -A1 70_mod_php5 *.ebuild
  php-5.3.29.ebuild:              APACHE2_MOD_CONF="70_mod_php5"
  php-5.3.29.ebuild-              apache-module_pkg_postinst
  [..]

and apache-module_pkg_postinst only prints information.

Furthermore,

  # fgrep -Rl -- -apache2 .
  ./Manifest
  ./ChangeLog-2012

and a look at the change log reveals that there was a -r1 of that file at some point

https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/php/files/70_mod_php5.conf-apache2?revision=1.7
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/php/files/70_mod_php5.conf-apache2-r1?revision=1.2

which fixed the AddHandler part, interestingly.

Comment 4 Sebastian Pipping gentoo-dev

2015-04-05 22:18:17 UTC

+
+  05 Apr 2015; Sebastian Pipping <sping@gentoo.org> php-5.3.29.ebuild,
+  php-5.4.36.ebuild, php-5.4.37.ebuild, php-5.4.38.ebuild, php-5.4.39.ebuild,
+  php-5.5.20.ebuild, php-5.5.21.ebuild, php-5.5.22.ebuild, php-5.5.23.ebuild,
+  php-5.6.4.ebuild, php-5.6.5.ebuild, php-5.6.6.ebuild, php-5.6.7.ebuild,
+  -files/70_mod_php5.conf-apache2:
+  Resolve unused and misleading files/70_mod_php5.conf-apache2, add note about
+  /etc/apache2/modules.d/70_mod_php5.conf actually being provided by
+  app-eselect/eselect-php by now (bug #544564)