Provide sensible default configuration for PHP-CGI files (Closes: #685340)

10 files changed, 125 insertions, 52 deletions

diff --git a/debian/libapache2-mod-php5.conf b/debian/libapache2-mod-php5.conf
index 5d2f9112f..6a994ece3 100644
--- a/debian/libapache2-mod-php5.conf
+++ b/debian/libapache2-mod-php5.conf
@@ -1,11 +1,24 @@
 <IfModule mod_php5.c>
-    <FilesMatch "\.ph(p3?|tml)$">
-	SetHandler application/x-httpd-php
+    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
+        SetHandler application/x-httpd-php
     </FilesMatch>
-    <FilesMatch "\.phps$">
-	SetHandler application/x-httpd-php-source
+    <FilesMatch ".+\.phps$">
+        SetHandler application/x-httpd-php-source
+        # Deny access to raw php sources by default
+        # To re-enable it's recommended to enable access to the files
+        # only in specific virtual host or directory
+        Order Deny,Allow
+        Deny from all
     </FilesMatch>
-    # To re-enable php in user directories comment the following lines
+    # Deny access to files without filename (e.g. '.php')
+    <FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+        Order Deny,Allow
+        Deny from all
+    </FilesMatch>
+
+    # Running PHP scripts in user directories is disabled by default
+    # 
+    # To re-enable PHP in user directories comment the following lines
     # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
     # prevents .htaccess files from disabling it.
     <IfModule mod_userdir.c>
diff --git a/debian/libapache2-mod-php5filter.conf b/debian/libapache2-mod-php5filter.conf
index 6d74a755a..e69e005f1 100644
--- a/debian/libapache2-mod-php5filter.conf
+++ b/debian/libapache2-mod-php5filter.conf
@@ -1,6 +1,11 @@
 <IfModule mod_php5.c>
-    <FilesMatch "\.ph(p3?|tml)$">
+    <FilesMatch ".+\.ph(p3?|tml)$">
 	SetInputFilter PHP
 	SetOutputFilter PHP
     </FilesMatch>
+    # Deny access to files without filename (e.g. '.php')
+    <FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+        Order Deny,Allow
+        Deny from all
+    </FilesMatch>
 </IfModule>
diff --git a/debian/php5-cgi.NEWS b/debian/php5-cgi.NEWS
index 7ead46c67..ae7ed4462 100644
--- a/debian/php5-cgi.NEWS
+++ b/debian/php5-cgi.NEWS
@@ -2,10 +2,7 @@ php5 (5.4.4-5) unstable; urgency=low
 
  Please be aware that the mime-types package dropped non-standard
  definitions for PHP that might affect any systems using PHP 5 running
- as CGI or FastCGI.
-
- The mime-types package has dropped the following non-standard
- definitions:
+ as CGI or FastCGI.  Following definitions were dropped:
  
   application/x-httpd-php                        phtml pht php
   application/x-httpd-php-source                 phps
@@ -14,24 +11,16 @@ php5 (5.4.4-5) unstable; urgency=low
   application/x-httpd-php4                       php4
   application/x-httpd-php5                       php5
 
- Systems, especially webservers (including but possibly not limited to
- the Apache HTTPD Server) may have used this to mark files as having
- the PHP Internet Media Type (commonly known as MIME type).  They
- may have used it further, to determine that such files are to be
- interpreted by PHP rather than served as normal files.
-
- If a webserver would not consider these files to be interpreted
- anymore this would have at least the following effects:
-  - PHP web programs/sites no longer work as expected
-  - PHP files might be directly exposed, which may be a security
-    problem
+ The php5-cgi package mitigates any known issues by creating a (dummy)
+ apache2 module php5_cgi with a configuration containing handlers for
+ all previously defined extensions.  Even though we believe that this
+ configuration should keep your PHP scripts interpreted, it might be a
+ good idea to check your apache2 site-wide configuration and also any
+ specific PHP configuration for websites running on your system.
 
- In order to avoid any problems when not using Apache PHP 5 module, and
- if you relied on MIME type definitions, read the README.Debian from
- the php5-common package on how to correctly configure PHP 5 running
- as a CGI or FastCGI (examples are provided for the Apache HTTPD
- Server) and take care, that PHP files intended to be interpreted
- are recognised as such (typically by adding MIME-Type or handler
- definitions in the webserver configuration).
+ As far as we know definitions from the mime-types packages are not
+ used in any other webserver included in Debian, but it might affect
+ any application which relies on system MIME types to interpret PHP
+ files.
 
  -- Ondřej Surý <ondrej@debian.org>  Wed, 15 Aug 2012 10:31:31 +0200
diff --git a/debian/php5-cgi.dirs b/debian/php5-cgi.dirs
index 269f6b71f..9a7d4050d 100644
--- a/debian/php5-cgi.dirs
+++ b/debian/php5-cgi.dirs
@@ -1,3 +1,4 @@
+/etc/apache2/mods-available
 /etc/php5/cgi
 /usr/lib/cgi-bin
 /usr/bin
diff --git a/debian/php5-cgi.postinst b/debian/php5-cgi.postinst
index a4369aa4a..8711bdb0a 100644
--- a/debian/php5-cgi.postinst
+++ b/debian/php5-cgi.postinst
@@ -4,6 +4,15 @@ set -e
 
 #DEBHELPER#
 
+reload_apache()
+{
+	if apache2ctl configtest 2>/dev/null; then
+		invoke-rc.d apache2 $1 || true
+	else
+		echo "Your apache2 configuration is broken, so we're not restarting it for you."
+	fi
+}
+
 if [ "$1" != "configure" ]; then
     exit 0
 fi
@@ -13,6 +22,15 @@ phpini="/etc/php5/cgi/php.ini"
 ucf /usr/share/php5/php.ini-production $phpini
 ucfr php5-cgi $phpini
 
+# Enable php5_cgi if upgrading from older versions of php5-cgi
+if [ -n "$2" ] && dpkg --compare-versions "$2" lt 5.4.4-5; then
+    # Only enable php5_cgi if apache2 is installed
+    if [ -x "/usr/sbin/a2enmod" ]; then
+	a2enmod php5_cgi >/dev/null || true
+	reload_apache force-reload
+    fi
+fi
+
 update-alternatives \
         --install /usr/bin/php-cgi php-cgi /usr/bin/php5-cgi 50 \
         --slave /usr/share/man/man1/php-cgi.1.gz php-cgi.1.gz /usr/share/man/man1/php5-cgi.1.gz
diff --git a/debian/php5-cgi.prerm b/debian/php5-cgi.prerm
index aeb5c1020..7c8d531dd 100644
--- a/debian/php5-cgi.prerm
+++ b/debian/php5-cgi.prerm
@@ -4,11 +4,14 @@ set -e
 
 #DEBHELPER#
 
-if [ "$1" != "remove" -a "$1" != "purge" ]; then
-        exit 0
-fi
-
-update-alternatives --remove php-cgi /usr/bin/php5-cgi
-update-alternatives --remove php-cgi-bin /usr/lib/cgi-bin/php5
+case "$1" in
+    remove)
+	if [ -x /usr/sbin/a2dismod ]; then
+	    a2dismod php5_cgi || true
+	fi
+	update-alternatives --remove php-cgi /usr/bin/php5-cgi
+	update-alternatives --remove php-cgi-bin /usr/lib/cgi-bin/php5
+	;;
+esac
 
 exit 0
diff --git a/debian/php5-common.README.Debian b/debian/php5-common.README.Debian
index 99c37c699..1c7880b2d 100644
--- a/debian/php5-common.README.Debian
+++ b/debian/php5-common.README.Debian
@@ -64,13 +64,20 @@ Other caveats
 PHP 5 CGI and Apache HTTP Server
 ----------------------------------------------------------------------
 
-  In 99% of cases, what you probably want isn't php5-cgi package at
+  In simple cases, what you probably want isn't php5-cgi package at
   all, but rather the libapache2-mod-php5 package, which will
   configure itself on installation and Just Work(tm). If, however, you
   have a need to use the CGI version of PHP 5 with Apache HTTP Server,
   the following should help get you going, though there are dozens of
   different ways to do this.
 
+  More recent way of doing this is to install php5-fpm package and use
+  FastCGI to interface of your webserver.  However you will have to
+  use libapache2-mod-fastcgi package (from non-free) or different
+  FastCGI capable webserver (f.e. nginx or lighttpd) since
+  libapache2-mod-fcgid available from main archive has no way how to
+  interact with external FastCGI servers.
+
   Please note that this process will never be made automatic, as
   php5-cgi is meant to be a webserver-agnostic package that can be
   used with any httpd, and we don't want it to conflict with the
@@ -84,21 +91,15 @@ PHP 5 CGI and Apache HTTP Server
   http://www.php.net/manual/en/security.cgi-bin.php
 
   To use php5-cgi with Apache HTTP Server:
-  1) activate CGI (it's on by default in default debian setups)
-     a) If using the prefork MPM, use 'a2enmod cgi'
-     b) If using a threaded MPM, use 'a2enmod cgid'
-  2) activate mod_actions (a2enmod actions)
-  3) Add the following to a config snippet in /etc/apache2/conf.d
-     <IfModule mod_actions.c>
-       ScriptAlias /cgi-bin/php5-cgi /usr/lib/cgi-bin/php5
-       Action application/x-php /cgi-bin/php5-cgi
-       <FilesMatch \.php$>
-         AddType application/x-php php
-       </FilesMatch>
-     </IfModule>
-
-  Note: more modern way of doing this is to install php5-fpm package
-  and use FastCGI interface of your webserver.
+  1) activate php5_cgi module: run 'a2enmod php5_cgi'
+  2) this will also activate mod_actions module as a dependency
+  3) comment out last block of configuration in the
+     /etc/apache2/mods-enabled/php5_cgi.conf file to enable
+     server-wide PHP 5 CGI or add the mentioned configuration block to
+     one or more virtual sites.
+  4) It's advised to not mix&match mod_php and php5-cgi in the same
+     apache2 configuration as it is likely to create unpredictable
+     results.
 
 Configuration Layout
 ----------------------------------------------------------------------
@@ -147,4 +148,4 @@ Further documentation, errata, misc.
   If after reading the documentation in this file you still have
   unanswered questions, that's a good next place to go.
 
- -- Ondřej Surý <ondrej@debian.org>, Mon,  6 Aug 2012 12:49:51 +0200
+ -- Ondřej Surý <ondrej@debian.org>, Mon, 20 Aug 2012 14:17:12 +0200
diff --git a/debian/php5_cgi.conf b/debian/php5_cgi.conf
new file mode 100644
index 000000000..2a18b149b
--- /dev/null
+++ b/debian/php5_cgi.conf
@@ -0,0 +1,37 @@
+# This file replaces old system MIME types and sets them only in the
+# Apache webserver
+
+# application/x-httpd-php                        phtml pht php
+# application/x-httpd-php3                       php3
+# application/x-httpd-php4                       php4
+# application/x-httpd-php5                       php
+<FilesMatch ".+\.ph(p[345]?|t|tml)$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+# application/x-httpd-php-source                 phps
+<FilesMatch ".+\.phps$">
+    SetHandler application/x-httpd-php-source
+    # Deny access to raw php sources by default
+    # To re-enable it's recommended to enable access to the files
+    # only in specific virtual host or directory
+    Order Deny,Allow
+    Deny from all
+</FilesMatch>
+# Deny access to files without filename (e.g. '.php')
+<FilesMatch "^\.ph(p[345]?|t|tml|ps)$">
+    Order Deny,Allow
+    Deny from all
+</FilesMatch>
+
+# To enable PHP CGI site-wide, just uncomment following lines, however
+# as a security measure, it's recommended to enable PHP just in the
+# specific virtual servers or just specific directories
+
+#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+#<Directory "/usr/lib/cgi-bin">
+#    AllowOverride None
+#    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+#    Order allow,deny
+#    Allow from all
+#</Directory>
+#Action application/x-httpd-php /cgi-bin/php5
diff --git a/debian/php5_cgi.load b/debian/php5_cgi.load
new file mode 100644
index 000000000..c7162af60
--- /dev/null
+++ b/debian/php5_cgi.load
@@ -0,0 +1,2 @@
+# Depends: actions
+# This is just dummy load file to enable actions module
diff --git a/debian/rules b/debian/rules
index 5b734037e..a358384a7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -498,7 +498,11 @@ install: build
 
 	chmod 01733 debian/php5-common/var/lib/php5
 
-	# Add here commands to install the package into debian/php5.
+	cp debian/php5_cgi.conf \
+		debian/php5-cgi/etc/apache2/mods-available/php5_cgi.conf
+	cp debian/php5_cgi.load \
+	        debian/php5-cgi/etc/apache2/mods-available/php5_cgi.load
+
 	# install apache2 DSO module
 	cp apache2-build/.libs/libphp5.so \
 		debian/libapache2-mod-php5/`apxs2 -q LIBEXECDIR`/