Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Major problems with latest php package update, php files being served as plain text #266

Closed
Yannik opened this issue Feb 24, 2016 · 7 comments

Comments

@Yannik
Copy link

Yannik commented Feb 24, 2016

Hi,

after updating libapache2-mod-php5.6:amd64 from 5.6.18+dfsg-4+deb.sury.org~trusty+1 to 5.6.18+dfsg-8+deb.sury.org~trusty+2, apache2 is serving php files as plain text and not interpreting them as php. With the previous version this worked flawlessly.

Only php5.6 is enabled:

a2dismod php5
a2dismod php7.0
a2enmod php5.6

Nothing can be found in apaches errorlog, even with LogLevel debug.
I did purge all php packages and libapache2-mod-php* and reinstall them, same issue.

Any ideas what's the culprit on this?

@Yannik Yannik changed the title Problems with latest php update Major problems with latest php update, php files being served as plain text Feb 24, 2016
@Yannik
Copy link
Author

Yannik commented Feb 24, 2016

Got it.

It's of course not possible to enable the php5.6 and php7.0 modules at the same time. Therefore, only one will ever be enabled.

Now, 2 files have been added to apaches conf-available and enabled (symlinked to conf-enabled):
conf-available/php5.6-fpm.conf:

# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php5.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    #<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
    #    SetHandler "proxy:unix:/run/php/php5.6-fpm.sock|fcgi://localhost"
    #</FilesMatch>
    <FilesMatch ".+\.php$">
        # Deny access to raw php sources by default
        # To re-enable it's recommended to enable access to the files
        # only in specific virtual host or directory
        Require all denied
    </FilesMatch>
    # Deny access to files without filename (e.g. '.php')
    <FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
        Require all denied
    </FilesMatch>
</IfModule>

conf-available/php7.0-fpm.conf:

# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    <FilesMatch ".+\.ph(p[3457]?|t|tml)$">
        SetHandler "proxy:unix:/run/php/php7.0-fpm.sock|fcgi://localhost"
    </FilesMatch>
    <FilesMatch ".+\.phps$">
        # Deny access to raw php sources by default
        # To re-enable it's recommended to enable access to the files
        # only in specific virtual host or directory
        Require all denied
    </FilesMatch>
    # Deny access to files without filename (e.g. '.php')
    <FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
        Require all denied
    </FilesMatch>
</IfModule>

One of these IfModule directives will ALWAYS hit, as only mod_php5.c OR mod_php7.c are every gonna be enabled. Therefore, this leads to the SetHandler directive ALWAYS being set.

By default the SetHandler directive does not work (in my system atleast), resulting in the raw source being served. A major security issue.

Seriously, when a user installs php-fpm, they will always use a SetHandler directive or ProxyPassMatch or similar in their site config. Doing this in a global config and enabling it by default(!!). (I may also disabled mod_php5 & mod_php7 - it still shouldn't be expected that a rogue package sets a SetHandler directive itself to serve from the www.conf-pool - this may be a big security issue in itself.

I have been a linux sysadmin for a long time and lived through a lot of bugs, never have I seen something so horrendous. Thoroughly disappointed.

@Yannik Yannik changed the title Major problems with latest php update, php files being served as plain text Major problems with latest php package update, php files being served as plain text Feb 24, 2016
@oerdnj
Copy link
Owner

oerdnj commented Feb 24, 2016

Right, it shouldn't be enabled by default. +3 versions of both php7.0-fpm and php5.6-fpm has been uploaded with a fix.

@Yannik
Copy link
Author

Yannik commented Feb 25, 2016

Hi @oerdnj,
this seems like an issue that easily could have been caught by automated testing - hasn't it been tested at all or what was the issue on this not being caught before being pushed to the repo?

@oerdnj
Copy link
Owner

oerdnj commented Feb 25, 2016

This exact issue was caused by the need for FPM autopkgtests. Neal has added autopkgtest for fpm. Anyway the testing surely needs more improvements, so feel free to add any other autopkgtests and send a git format-patch for any improvements. I don't have enough free time, since this is not my job, just a thing I do mostly in my free time.

@Yannik
Copy link
Author

Yannik commented Feb 25, 2016

@oerdnj
I'd be glad if you pointed me to a public repository from which the packages are built, I wanted to have a look at it anyway.

@sathieu
Copy link

sathieu commented Apr 17, 2016

I think the repo is at: http://anonscm.debian.org/cgit/pkg-php/php.git

I proposed a solution at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820282#25. I need to write a patch.

@sathieu
Copy link

sathieu commented Apr 17, 2016

My proposed patch is at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820282#35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants