goba Sat Jan 20 11:13:22 2001 EDT
Modified files:
/phpdoc/en/chapters security.xml
Log:
.php3 -> .php
Index: phpdoc/en/chapters/security.xml
diff -u phpdoc/en/chapters/security.xml:1.17 phpdoc/en/chapters/security.xml:1.18
--- phpdoc/en/chapters/security.xml:1.17 Mon Jan 15 00:36:44 2001
+++ phpdoc/en/chapters/security.xml Sat Jan 20 11:13:22 2001
@@ -83,15 +83,15 @@
Usually some web server configuration directives (Apache:
Action) are used to redirect requests to documents like
<filename
- role="url">http://my.host/secret/script.php3</filename> to the
+ role="url">http://my.host/secret/script.php</filename> to the
PHP interpreter. With this setup, the web server first checks
the access permissions to the directory <filename
role="uri">/secret</filename>, and after that creates the
redirected request <filename
- role="url">http://my.host/cgi-bin/php/secret/script.php3</filename>.
+ role="url">http://my.host/cgi-bin/php/secret/script.php</filename>.
Unfortunately, if the request is originally given in this form,
no access checks are made by web server for file <filename
- role="uri">/secret/script.php3</filename>, but only for the
+ role="uri">/secret/script.php</filename>, but only for the
<filename role="uri">/cgi-bin/php</filename> file. This way
any user able to access <filename
role="uri">/cgi-bin/php</filename> is able to access any
@@ -125,9 +125,9 @@
to the configure script. You still have to make sure your PHP
scripts do not rely on one or another way of calling the script,
neither by directly <filename
- role="php">http://my.host/cgi-bin/php/dir/script.php3</filename>
+ role="php">http://my.host/cgi-bin/php/dir/script.php</filename>
nor by redirection <filename
- role="php">http://my.host/dir/script.php3</filename>.
+ role="php">http://my.host/dir/script.php</filename>.
</simpara>
<simpara>
Redirection can be configured in Apache by using AddHandler and
@@ -140,7 +140,7 @@
<simpara>
This compile-time option prevents anyone from calling PHP
directly with a url like <filename
- role="php">http://my.host/cgi-bin/php/secretdir/script.php3</filename>.
+ role="php">http://my.host/cgi-bin/php/secretdir/script.php</filename>.
Instead, PHP will only parse in this mode if it has gone through
a web server redirect rule.
</simpara>
@@ -149,8 +149,8 @@
the following directives:
</simpara>
<programlisting role="apache-conf">
-Action php3-script /cgi-bin/php
-AddHandler php3-script .php3
+Action php-script /cgi-bin/php
+AddHandler php-script .php
</programlisting>
<simpara>
This option has only been tested with the Apache web server, and
@@ -199,21 +199,21 @@
linkend="ini.user-dir">user_dir</link>. When user_dir is unset,
only thing controlling the opened file name is
<parameter>doc_root</parameter>. Opening an url like <filename
- role="url">http://my.host/~user/doc.php3</filename> does not
+ role="url">http://my.host/~user/doc.php</filename> does not
result in opening a file under users home directory, but a file
- called <filename role="uri">~user/doc.php3</filename> under
+ called <filename role="uri">~user/doc.php</filename> under
doc_root (yes, a directory name starting with a tilde
[<literal>~</literal>]).
</simpara>
<simpara>
If user_dir is set to for example <filename
role="dir">public_php</filename>, a request like <filename
- role="url">http://my.host/~user/doc.php3</filename> will open a
- file called <filename>doc.php3</filename> under the directory
+ role="url">http://my.host/~user/doc.php</filename> will open a
+ file called <filename>doc.php</filename> under the directory
named <filename role="dir">public_php</filename> under the home
directory of the user. If the home of the user is <filename
role="dir">/home/user</filename>, the file executed is
- <filename>/home/user/public_php/doc.php3</filename>.
+ <filename>/home/user/public_php/doc.php</filename>.
</simpara>
<simpara>
<parameter>user_dir</parameter> expansion happens regardless of
@@ -254,22 +254,6 @@
</sect1>
- <sect1 id="security.current">
- <title>Keeping Current</title>
- <simpara>
- PHP, like any other large system, is under constant scrutiny and
- improvement. Each new version will often include both major and
- minor changes to enhance and repair security flaws, configuration
- mishaps, and other issues that will affect the overall security
- and stability of your system.
- </simpara>
- <simpara>
- Like other system-level scripting languages and programs, the best
- approach is to update often, and maintain awareness of the latest
- versions and their changes.
- </simpara>
- </sect1>
-
<sect1 id="security.apache">
<title>Installed as an Apache module</title>
<simpara>
@@ -406,7 +390,7 @@
<title>More secure file name checking</title>
<programlisting role="php">
<?php
-$username = get_env("REMOTE_USER");
+$username = getenv("REMOTE_USER");
$homedir = "/home/$username";
if (!ereg('^[^./][^/]*$', $userfile))
@@ -599,6 +583,22 @@
connected to. Many cracking programs do not discern by size, they
simply trawl massive IP blocks looking for victims. Try not to
become one.
+ </simpara>
+ </sect1>
+
+ <sect1 id="security.current">
+ <title>Keeping Current</title>
+ <simpara>
+ PHP, like any other large system, is under constant scrutiny and
+ improvement. Each new version will often include both major and
+ minor changes to enhance and repair security flaws, configuration
+ mishaps, and other issues that will affect the overall security
+ and stability of your system.
+ </simpara>
+ <simpara>
+ Like other system-level scripting languages and programs, the best
+ approach is to update often, and maintain awareness of the latest
+ versions and their changes.
</simpara>
</sect1>
</chapter>
