[Bug 783843] New: regression: conf.d/php5.conf does not apply the right handler to all files
https://bugzilla.novell.com/show_bug.cgi?id=783843 https://bugzilla.novell.com/show_bug.cgi?id=783843#c0 Summary: regression: conf.d/php5.conf does not apply the right handler to all files Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: per@computer.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Hardware: kzinti @ Hetzner About a week ago, I upgraded our production webserver to 12.2. I had a harddisk replaced anyway, so it seemed like a good time to move from 12.1 to 12.2. Unfortunately I was a little too confident in openSUSE, so I didn't check that the webserver actually still worked. It didn't - it did not invoke the PHP handler for the right files anymore. The problem appears to be in conf.d/php5.conf: Earlier version: <IfModule mod_php5.c> AddHandler application/x-httpd-php .php4 AddHandler application/x-httpd-php .php5 AddHandler application/x-httpd-php .php AddHandler application/x-httpd-php .phtml AddHandler application/x-httpd-php-source .php4s AddHandler application/x-httpd-php-source .php5s AddHandler application/x-httpd-php-source .phps DirectoryIndex index.php4 DirectoryIndex index.php5 DirectoryIndex index.php </IfModule> Version from 12.2: <IfModule mod_php5.c> <FilesMatch "\.ph(p[345]?|tml)$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.php[345]?s$"> SetHandler application/x-httpd-php-source </FilesMatch> DirectoryIndex index.php4 DirectoryIndex index.php5 DirectoryIndex index.php </IfModule> Change this section: <FilesMatch "\.ph(p[345]?|tml)$"> SetHandler application/x-httpd-php </FilesMatch> to this: <FilesMatch "\.ph(p[345]?|tml)"> SetHandler application/x-httpd-php </FilesMatch> and it works again. I'm serving files named e.g. "index.phtml.en" (language-negotiated through type-map=index.var). The '$' in the regex makes the difference. I'm not sure if using Sethandler instead of Addhandler is correct either, but I sofar I haven't seen any problems with it. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=783843 https://bugzilla.novell.com/show_bug.cgi?id=783843#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |mweckbecker@suse.com, | |pgajdos@suse.com --- Comment #1 from Marcus Meissner <meissner@suse.com> 2012-10-06 12:16:22 UTC --- the $ is important there as hardening measure, see bug 775852 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=783843 https://bugzilla.novell.com/show_bug.cgi?id=783843#c2 --- Comment #2 from Per Jessen <per@computer.org> 2012-10-06 12:57:37 UTC --- Regarding naming conventions when using content negotiation, see the Apache2 manual, http://httpd.apache.org/docs/2.2/content-negotiation.html#naming : "If you want to continue to use a MIME-type in your hyperlinks (e.g. foo.html) the language extension (including an encoding extension if there is one) must be on the right hand side of the MIME-type extension (e.g., foo.html.en)." -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=783843 https://bugzilla.novell.com/show_bug.cgi?id=783843#c3 Matthias Weckbecker <mweckbecker@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #3 from Matthias Weckbecker <mweckbecker@suse.com> 2012-10-07 19:52:46 CEST --- Marcus is right: The $ is the crucial part here, because it makes sure it's only matching the file name extension, and not other parts of the file name. It was done intentionally and prevents from security implications. See bnc# in c#1 as well as [1]. [1] https://en.wikipedia.org/wiki/Filename_extension -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=783843 https://bugzilla.novell.com/show_bug.cgi?id=783843#c4 --- Comment #4 from Per Jessen <per@computer.org> 2012-10-08 06:06:21 UTC --- I guess you don't care that your solution also largely prevents e.g. language negotiation from working, but it would have been nice with a warning and some recommendations wrt a work-around. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=783843 https://bugzilla.novell.com/show_bug.cgi?id=783843#c5 --- Comment #5 from Matthias Weckbecker <mweckbecker@suse.com> 2012-10-08 10:15:21 CEST --- It only prevents this if you *modify* the sample configuration and expect from it to be something that can never change. The way to go is simply to do it right, e.g. drop your own configuration, name it as you like and make apache load this, instead of the modified, sample one. Apart from that, I've always been recommending a testing system. However, all of this should be discussed with your systems administrator rather than with a bunch of developers in BZ. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=783843 https://bugzilla.novell.com/show_bug.cgi?id=783843#c6 --- Comment #6 from Per Jessen <per@computer.org> 2012-10-08 08:44:08 UTC --- (In reply to comment #5)
It only prevents this if you *modify* the sample configuration and expect from it to be something that can never change. The way to go is simply to do it right, e.g. drop your own configuration, name it as you like and make apache load this, instead of the modified, sample one. Apart from that, I've always been recommending a testing system. However, all of this should be discussed with your systems administrator rather than with a bunch of developers in BZ.
We obviously have test-systems, quite a few in fact, but the real problem is that we didn't expect a simple upgrade to screw things up like this. My problem of course, I should have known better. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com