Menu
▾
▴
Re: [Tclhttpd-users] TclHttpd and PHP
|
From: Nicolas B. <nic...@ma...> - 2004-08-02 10:24:21
|
Colin McCormack wrote: >On Mon, 2004-08-02 at 17:01, Nicolas Boretos wrote: > > >>The stuff below let's us play php as cgi... >>I only wonder if there's not a better hook to set and unset >>env(REDIRECT_STATUS)? Maybe grab the file extension >>and set/unset only then..? >> >> > >I was wondering, when I read your wiki page on this, what is going on >with REDIRECT_STATUS that it causes php problems? > > Hi Colin, AFAIU, from the php docs, seems many installs place the interp under cgi-bin, where CERT advisory CA-96.11 <http://www.cert.org/advisories/CA-1996-11.html> recommends against this... http://gr.php.net/security.cgi-bin They say that this would permit php to read files either outside of the docRoot, .../php?/etc/passwd.. or under docRoot .../php/secretdir/documents.html so they usually compile with a configuration option --enable-force-cgi-redirect <configure.php#configure.enable-force-cgi-redirect> to prevent this attack What I saw, with php outside the wevserver, was 1. if a .php page is in cgi-bin, then php does not compalin, but that would mean all php pages must reside there...not very convenient... 2. if a .php page is placed in directory under docroot, then it must be have a .cgi extension...., not very practical.. From what I've understood is that one can set the REDIRECT_STATUS variable while executing, that overides the above compile flag. Additionally, one should set the doc_root directory in the php.ini, thus disallowing php to read files outside of doc_root.... This is about as much as I kow 'bout php.... Anyway, I am not really sure whether this approach closes up the security problems with php, but it at least allows php files, to be executed under doc_root w/o the need for renaming them to .cgi... My question was basically whether there was a cleaner way to do this, e.g do this only when running php pages... regards, nicolas |
