[php-maint] Bug#555606: Rethink mod_php default configuration / disable for userdirs
Stefan Fritsch
sf at sfritsch.de
Tue Nov 10 11:59:19 UTC 2009
package: libapache2-mod-php5
severity: wishlist
On Tuesday 10 November 2009, sean finney wrote:
> > > And my personal nitpick; PHP should be off by default so that
> > > php scripts in configured data locations are not executed by
> > > web servers by default. PHP files/dirs in webapp packages
> > > should be whitelisted for execution rather than each webapp
> > > needing to blacklist their configured data locations.
> >
> >
> > Fine with me. I'm not sure every web server supports such
> > feature, though.
>
> someone ought to file a wishlist bug against php5. at the very
> least there could be a debconf prompt controlling the global
> status of php, and i think there's a strong case for arguing that
> apps shouldn't assume that it's on by default.
>
I would really like to see php being disabled for userdirs by default.
This currently allows every user to execute code as user www-data.
More information about the pkg-php-maint
mailing list