This release fixes a security issue that was introduced with the 0.7.0 release. This issue affected the source-highlighting feature and could only be exploited, if the suPHP_PHPPath option was set. In this case local users which could create or edit .htaccess files could possibly execute arbitrary code with the privileges of the user the webserver was running as.
From Peter Avalos in PR pkg/44762
pkgsrc changes:
- pkglint cleanups
- set LICENSE
- Add MESSAGE to mention the change in configuration file format.
Upstream changes:
suPHP 0.7.1 has been released.
This release fixes a bug causing problems with symbol links in the script path,
which was introduced with the 0.7.0 release.
suPHP 0.7.0 has been released.
With this release, several features that have been on the wish list for a long
time, have been realized:
* The module for Apache 1.3 only supported AddHandler for older releases.
This has been fixed: Now you can use AddType, too.
* PHP source highlighting: Files of MIME type application/x-httpd-php-source
will now be shown with source highlighting. Remember to set the suPHP_PHPPath
directive to enable this feature.
* suPHP_AddHandler and suPHP_RemoveHandler directives can now be used on per
vhost level, too.
* You can configure more than one docroot and use different variables (like
user name or home directory) within docroot and chroot settings.
Attention: The configuration syntax for suphp.conf has slightly changed with
this release. Be sure to read the documentation before upgrading, because
existing configuration files will not work without changing them.
While here, add DESTDIR support and more adapt sample config file to default settings.
* Version 0.6.3 (30 March 2008)
- Fixed a possible race condition concerning the check for the
right symlink owner.
- Added checks for the owner of the parent directories were added.
* Version 0.6.2 (19 November 2006)
- Made mod_suphp compatible with Apache 2.2
- Modified SmartPtr implementation (hopefully) fixing
double free problem
- Fixed problem that caused the process to block
when more than 4096 were written to stderr
- Implemented userdir support
- Fixed problem with PATH_INFO and PHP scripts
* Version 0.6.1 (26 November 2005)
- Changed usage of STL to gain better compatibility with old GCC versions
(credits to Jeremy Chadwick for finding the relevant code)
- Fixed typos in mod_suphp.c (Apache 1.3)
(credits to Johan Ekenberg for finding these typos)
- Fixed potential buffer overflow in function suphp_bucket_read() in
src/apache2/mod_suphp.c
- Fix problems with scripts sending "Last-Modified" headers
- Extended autoconf script to look for an installation of APR
and to use its includedir when building mod_suphp for Apache 2
- Added support for chroot() call before execution of script
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
sets BUILDLINK_INCDIRS.apr, remove custom CPPFLAGS. Use -e for the
SUBST_SED expression to mollify pkglint. Add APACHE_USER and VARBASE
to BUILD_DEFS. Don't try to remove lib/httpd on deinstall, as it
belongs to Apache. Bump PKGREVISION.
The suPHP Apache module together with suPHP itself provides an easy way
to run PHP scripts with different users on the same server.
It provides security, because the PHP scripts are not run with the
rights of the webserver's user. In addition to that you probably won't
have to use PHP's "safe mode", which applies many restrictions on the
scripts.