From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id DDC921384B4 for ; Mon, 4 Jan 2016 16:52:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 92D09E0882; Mon, 4 Jan 2016 16:52:20 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 95D7CE086A for ; Mon, 4 Jan 2016 16:52:19 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 91DB534085B for ; Mon, 4 Jan 2016 16:52:18 +0000 (UTC) Subject: Re: [gentoo-dev] News item: Apache "-D PHP5" needs update to "-D PHP" To: gentoo-dev@lists.gentoo.org References: <5689BC34.5000006@gentoo.org> <20160104061101.5f9686bc@wim.fritz.box> From: Michael Orlitzky Message-ID: <568AA376.4090507@gentoo.org> Date: Mon, 4 Jan 2016 11:53:10 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20160104061101.5f9686bc@wim.fritz.box> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Archives-Salt: 2e23de3f-bc78-45c1-8701-b83dc643f83b X-Archives-Hash: 950b93fad6cc0280fb8f6476f4f6b2b4 On 01/04/2016 12:11 AM, Jeroen Roovers wrote: > >> Without updating APACHE2_OPTS, websites could end up serving >> PHP code (include configuration files with passwords) >> unprocessed to website visitors! > > That would mean there is an additional (local) security problem. > All PHP applications are written by the sort of people who will tell you to put a config file in the public DocumentRoot, and that's not easy to fix as the system administrator. Those virtual hosts should really really really really really be wrapped in statements.