php-pear doc files not in %doc?
by Christopher Stone
Hi,
Should the files in the php-pear package which are packaged under
/usr/share/pear/doc be placed under %doc instead?
15 years, 1 month
security bug with how PHP is added as an Apache handler
by Kae Verens
The conf.d/php.conf file attaches .php files to its handler like this:
AddHandler php5-script .php
however, that allows some hackery.
for example, create three files, "test.php", "test.php." and
"test.php.blahblah". in each, place "<?php phpinfo();" and load them in
your browser - they are all rendered as PHP files.
This means that a web application which allows people to upload files
(images, for example), but not PHP scripts, can be circumvented by
naming the script somescript.php.notphp and then uploading it.
To solve this, it is probably better to change the handler attachment to
this:
|<FilesMatch \.php$>
SetHandler php5-script
</FilesMatch> |
kae
15 years, 1 month
