Packaging of Bugzilla 2.18 in Debian

Kevin Benton kevin.benton at amd.com
Wed Jan 19 21:39:37 UTC 2005 

It's all in the Apache configuration where to allow .php files execute
permission versus where not to.  In the "php.conf" as distributed with
Redhat, there is no directory restriction around the <Files *.php>.  So,
webmasters who haven't checked their Apache config thoroughly will be
surprised to find that PHP can run from anywhere on their web server.

If, on the other hand, they did...

<Directory such/and/such>
  <Files *.php>
    ...
  </Files>
</Directory>

... they would find that PHP files outside those directories would not be
executed.

---
Kevin Benton
Perl/Bugzilla Developer
Advanced Micro Devices
 
The opinions stated in this communication do not necessarily reflect the
view of Advanced Micro Devices and have not been reviewed by management.
This communication may contain sensitive and/or confidential and/or
proprietary information.  Distribution of such information is strictly
prohibited without prior consent of Advanced Micro Devices.  This
communication is for the intended recipient(s) only.  If you have received
this communication in error, please notify the sender, then destroy any
remaining copies of this communication.
 
 
> -----Original Message-----
> From: developers-owner at bugzilla.org [mailto:developers-owner at bugzilla.org]
> On Behalf Of David Miller
> Sent: Wednesday, January 19, 2005 12:44 PM
> To: developers at bugzilla.org
> Subject: Re: Packaging of Bugzilla 2.18 in Debian
> 
> Alexis Sukrieh wrote:
> 
> > That's not allowed by the Policy to put non-cgi files in a cgi location,
> > which is understandable I suppose :)
> 
> Out of curiosity (I know I'm going way offtopic here) why are php files
> allowed outside of cgi-bin?  :)  They can do just as much damage as
> other cgi scripts.  If it's the fact that they're actually interpreted
> by Apache instead of shelling out to them, would running Bugzilla under
> mod_perl let us put the files outside of cgi-bin?  mod_perl is just like
> mod_php in that regard.  (Bugzilla doesn't run under mod_perl yet, but
> it will one of these days)
> 
> I note that the mailman package has a /var/lib/mailman/cgi-bin, which is
> symlinked from /usr/lib/cgi-bin/mailman.
> 
> --
> Dave Miller                                   http://www.justdave.net/
> System Administrator, Mozilla Foundation       http://www.mozilla.org/
> Project Leader, Bugzilla Bug Tracking System  http://www.bugzilla.org/
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=kevin.benton@amd.com>

More information about the developers mailing list