You forgot to cc [email protected] which is in fact a good thing, because this is by no means a critical bug.
The issue is only in the README file which also clearly states (together with hint to use php5-fpm): In 99% of cases, what you probably want isn't php5-cgi package at all, but rather the libapache2-mod-php5 package, which will configure itself on installation and Just Work(tm). If, however, you have a need to use the CGI version of PHP 5 with Apache HTTP Server, the following should help get you going, ***though there are dozens of different ways to do this.*** O. On Wed, Aug 1, 2012 at 2:08 AM, Christoph Anton Mitterer <[email protected]> wrote: > I guess both, CGI and mod_php are affected by this but I haven't checked > for the later, as it's security-wise... "problematic", which is why I > never use it. If you want to report a bug, you probably should at least check the parts your report is about. And no, mod_php is not affected. > See the aforementioned bug for what I suggest to do now. > Basically: > 1) Add a NEWS item entry, that these mime types were removed > from /etc/mime.types and what this could mean. > Possibly linking to the above bug. Release notes addressed from mime-support is fine. > 2) Add documentation for the end-users, how they should (safely) enable > PHP. > > For CGI this would be the above (with a corrected mistake): > ------------------------------------------------------- > #Note: The following is a security measure to remove any possible mappings > that would also apply on “middle extensions” (for example “test.php.png”). > RemoveType php I am not going to add this. If you have a previous mapping somewhere else, it's your problem. > <Files ?*.php> > AddType application/x-php php > </Files> This is a good idea. > ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5 > Action application/x-php /cgi-bin/php5-cgi > ------------------------------------------------------- > plus the note, that one SHOULD limit AT LEAST the ScriptAlias and > Actionto _only_ such <Directory> blocks, where php files to be > interpreted reside. Again this is just a quick&dirty README and not PHP manual, but I have added a reference to CGI Security section in PHP manual. O. -- Ondřej Surý <[email protected]> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
