On Thu, 28 Apr 2005, Martin Schulze wrote: > What do people on this list think about fixing PHP include files in a > DSA that are accessible via HTTP as well and contain one bug or > another as they are not supposed to be accessible via HTTP but > accidently are.
I think not only we should do it, we should also make a big fuss about it, so that some of the PHP people out there at least have a chance to get the clue. Also, as a service for ourselves and our users, IMHO we should be making it explicitly RC (after sarge, maybe?) to have *any* configuration file or include file in a tree that is exported via a webserver in *any* webserver application (so this is not a PHP-only fix, although that specific kind of braindamage seems to be 99% the fault of the PHP community nowadays...). I.e. IMHO, if it is to be included in Debian, either the maintainer or upstream has to get their act clean first, or it is not even allowed in. > These files should not be accessible via HTTP in the first place but > put into /usr/share/something instead and included from there. Not to mention all the config files which should be in /etc and never *ever* accessible from outside either. We do have to deal with php_safemode braindead semi-chrooting somehow, though. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
