Major problems with latest php package update, php files being served as plain text

[Yannik]

Hi,

after updating libapache2-mod-php5.6:amd64 from 5.6.18+dfsg-4+deb.sury.org~trusty+1 to 5.6.18+dfsg-8+deb.sury.org~trusty+2, apache2 is serving php files as plain text and not interpreting them as php. With the previous version this worked flawlessly.

Only php5.6 is enabled:

a2dismod php5
a2dismod php7.0
a2enmod php5.6

Nothing can be found in apaches errorlog, even with LogLevel debug.
I did purge all php packages and libapache2-mod-php* and reinstall them, same issue.

Any ideas what's the culprit on this?

[Yannik]

Got it.

It's of course not possible to enable the php5.6 and php7.0 modules at the same time. Therefore, only one will ever be enabled.

Now, 2 files have been added to apaches conf-available and enabled (symlinked to conf-enabled):
conf-available/php5.6-fpm.conf:

# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php5.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    #<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
    #    SetHandler "proxy:unix:/run/php/php5.6-fpm.sock|fcgi://localhost"
    #</FilesMatch>
    <FilesMatch ".+\.php$">
        # Deny access to raw php sources by default
        # To re-enable it's recommended to enable access to the files
        # only in specific virtual host or directory
        Require all denied
    </FilesMatch>
    # Deny access to files without filename (e.g. '.php')
    <FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
        Require all denied
    </FilesMatch>
</IfModule>

conf-available/php7.0-fpm.conf:

# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    <FilesMatch ".+\.ph(p[3457]?|t|tml)$">
        SetHandler "proxy:unix:/run/php/php7.0-fpm.sock|fcgi://localhost"
    </FilesMatch>
    <FilesMatch ".+\.phps$">
        # Deny access to raw php sources by default
        # To re-enable it's recommended to enable access to the files
        # only in specific virtual host or directory
        Require all denied
    </FilesMatch>
    # Deny access to files without filename (e.g. '.php')
    <FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
        Require all denied
    </FilesMatch>
</IfModule>

One of these IfModule directives will ALWAYS hit, as only mod_php5.c OR mod_php7.c are every gonna be enabled. Therefore, this leads to the SetHandler directive ALWAYS being set.

By default the SetHandler directive does not work (in my system atleast), resulting in the raw source being served. A major security issue.

Seriously, when a user installs php-fpm, they will always use a SetHandler directive or ProxyPassMatch or similar in their site config. Doing this in a global config and enabling it by default(!!). (I may also disabled mod_php5 & mod_php7 - it still shouldn't be expected that a rogue package sets a SetHandler directive itself to serve from the www.conf-pool - this may be a big security issue in itself.

I have been a linux sysadmin for a long time and lived through a lot of bugs, never have I seen something so horrendous. Thoroughly disappointed.

[oerdnj]

Right, it shouldn't be enabled by default. +3 versions of both php7.0-fpm and php5.6-fpm has been uploaded with a fix.

[Yannik]

Hi @oerdnj,
this seems like an issue that easily could have been caught by automated testing - hasn't it been tested at all or what was the issue on this not being caught before being pushed to the repo?

[oerdnj]

This exact issue was caused by the need for FPM autopkgtests. Neal has added autopkgtest for fpm. Anyway the testing surely needs more improvements, so feel free to add any other autopkgtests and send a git format-patch for any improvements. I don't have enough free time, since this is not my job, just a thing I do mostly in my free time.

[Yannik]

@oerdnj
I'd be glad if you pointed me to a public repository from which the packages are built, I wanted to have a look at it anyway.

[sathieu]

I think the repo is at: http://anonscm.debian.org/cgit/pkg-php/php.git

I proposed a solution at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820282#25. I need to write a patch.

[sathieu]

My proposed patch is at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820282#35