On 06/08/14 23:00, Alex Dean wrote: > On Aug 6, 2014, at 12:40 PM, Daniel Pocock <dan...@pocock.pro> wrote: > >> I've noticed that in some fresh installs where the PHP module or CGI is >> not already enabled, my own package, ganglia-web, is not enabling it >> either and the PHP source code is being served to clients without being >> interpreted/executed. >> >> I'd like to tidy up the debian/control Depends field and the postinst to >> try and avoid this >> >> Is there any best practice for packages like this that use PHP, >> >> a) technique for enabling PHP support? >> >> b) preventing the display of PHP source code when PHP is not enabled? > > It's not simple because apache + mod_php is only 1 way to deploy PHP. If I > ran nginx + php-fgci, i'd be pretty annoyed by ganglia-web requiring me to > use apache. (as the debian postinst script you linked to appears to do) >
Depends: ..., apache | apache-ssl | apache-perl | apache2 | httpd-cgi, php5 | php5-cgi | libapache2-mod-php5, ... does not force somebody to install apache. The final item in the list, httpd-cgi, is a virtual package, it is satisfied if nginx is on the system because nginx has: Provides: httpd-cgi See: http://anonscm.debian.org/cgit/collab-maint/nginx.git/tree/debian/control#n86 If somebody does not have one of those packages already, apt-get will install apache and the postinst script will try to enable PHP, but not always successfully >> >> To make matters more confusing, people who land in this situation with >> the Ganglia package usually see an error "Sorry, you do not have access >> to this resource.". One of the first lines of code in the PHP is >> checking an ACL. > > This doesn't sound right. If PHP isn't enabled, a user won't see this error. > (PHP would have to run in order for this to be the output.) They would see a > source-code dump, as you said. > The way the browser renders the source code dump, the error is rendered in big bold letters, larger than the rest of the source code. Somebody who sees this for the first time may think the rendering is meaningful. Try copying the raw index.php to /tmp/index.php.html and open it in a browser and see what I mean. >> If PHP is not executed at all, the browser renders the >> error anyway. Maybe we need something like this at the top of every PHP >> file: >> >> <?php >> if(1 > 2) { >> die("<html><head><title>PHP not enabled</title><body><h4>Your PHP >> module or CGI support is not enabled. Please check the web server. >> Ignore any other messages below this line.</h4></body></html>"); >> } > > PHP would have to run in order for this to work. > > maybe something like this: > > <?php > // > // Dear Mr. User: > // If you can see this, then PHP is not configured correctly. > // > ?> To make it more obvious, maybe the first tag needs to be closed and the error wrapped in tags: <?php > // // Dear Mr. User: // <h3>If you can see this, then PHP is not configured correctly.</h3> // ?> I don't suppose anybody objects to having this in index.php? ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Ganglia-developers mailing list Ganglia-developers@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ganglia-developers
