Re: Web applications specific issues
Hello all,
As a maintainer of some PHP applications in Debian I very welcome this list.
The original mail by Alexis raises some valid points, all of which we
could concern ourselves with. However, I think we need to concentrate on a
subset of that first to make it happen, and tend to other aspects lateron.
But for now it wouldn't hurt to just talk a bit about the issues at hand,
so we have an overview of all that could be done, and then split off into
separate threads, eg about the (db,www)config-common packages, or a
policy, security etc.
> Providing a VirtualHosting facility
> -----------------------------------------------------------------
This is nicely solved in the phpbb2 package, which contains instructions
on how to set it up for multiple boards on one host. It amounts in short
to the following: create separate db, create new copy of config file under
etc, change apache config snippet to point to this new config file. While
not perfect or automatic, it is reasonably well doable.
> Managing PHP libraries, security policy about include()
> -----------------------------------------------------------------
>
> When you provide some php scrips in your package, you are likely to find
> some include() statements in some scripts. There must be a discussion
> around the secrity issues about that, as it can sometimes lead to security
> holes[1].
I think it's important to require PHP apps to run with register_globals
off, since this prevents a lot of potential security holes. If upstream
doesn't support this at all this is not feasible (they should be pushed to
change that). In that case one should include a means / instruction of
turning r_g on for this specific application only so people won't turn it
on globally.
Also, if reasonably possible it should be made compatible with PHP's
safe_mode.
(BTW I'm the co-maintainer of the squirrelmail and phpbb2 packages, and
working on phpgedview which can be expected in a few weeks.)
Regards,
Thijs
Reply to: