[php-maint] Bug#447764: Bug#447764: Bug#447764: libapache2-mod-php5: updated debdiff
Steve Langasek
vorlon at debian.org
Tue Jan 8 09:29:29 UTC 2008
On Mon, Jan 07, 2008 at 11:14:39AM +0100, sean finney wrote:
> hey folks,
> On Monday 07 January 2008 10:39:01 am Steve Langasek wrote:
> > Overall, I think this is a reasonable thing to add to the package. Sean,
> > are you ok with it?
> i'm surprised i didn't comment on this.. must have lost my draft or something.
> anyway, i think the idea in theory is nice, i haven't actaully checked the
> contents of the page itself. however:
> - i don't think we should be dropping files in /var/www. we could accomplish
> the same with an alias/scriptalias in a config file.
Hmm, 54 packages in lenny still disagree with you. :) I'll admit I wasn't
happy with the idea of putting it in /var/www, but AFAIK if there's a new
"best practice" that should supersede this, it isn't published very widely?
> - i'm not sure if this is something we want enabled or at least globally
> accessible by default. maybe a small wrapper script to enable/disable, or it
> could be plugged into an existing framework (will a2enmod work for stuff
> that's only .conf and not .load files maybe?).
Well, I think it misses the target audience if it's not enabled by default.
I'm guessing you're concerned about this being a security problem by virtue
of being an information leak? It seems to me that the only information
being leaked is whether there's a mysql server or a postgresql server
available on the local machine. If someone is in a position to exploit this
fact, presumably they don't need the PHP test page to tell them it's there?
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the pkg-php-maint
mailing list