#1071587 libapache2-mod-php: Default php.conf serves php in userdirs as plaintext (potentially exposing passwords)

Package:
libapache2-mod-php
Source:
libapache2-mod-php
Submitter:
Theral Mackey
Date:
2024-05-21 17:03:02 UTC
Severity:
normal
Tags:
#1071587#5
Date:
2024-05-21 17:02:01 UTC
From:
To:
This applies to all currently available versions (goes back to initial commit
 of php.conf).

The php.conf distributed disables the php engine for userdirs, but does not
block php files from being served from them. This causes a default install to
serve the php source as plaintext. Since many common php webapps still keep
passwords in *.inc.php config files inside web accessible dirs, this allows
those passwords and other config data to be accessed by anyone requesting
the proper url. This happened to me while doing a debootsrap upgrade/install
to a chroot lvm: my previously working php app started up in the new version
serving plaintext php source from apps in my userdir, while non-userdir php
was working as before. I consider this a bug since this package intentionally
changes the otherwise configured state as a "security" issue to prevent rogue
php run in userdirs, while in the same file preventing raw php source from
being served (line 8). There are very few reasons to directly serve php files
as plaintext. A simple fix is to add a filesmatch directive to the existing
directory directive to block serving the files the directive has changed
handling of. Patch below is also applied to the debian/main/7.2 branch of
the fork in salsa/git I created (should work for all versions since the file
has no changes up to current): https://salsa.debian.org/tmack0/php.git

PATCH:

diff --git a/debian/php.conf b/debian/php.conf
index d4df3e5f7..df24ab139 100644
--- a/debian/php.conf
+++ b/debian/php.conf
@@ -17,9 +17,16 @@
 #
 # To re-enable PHP in user directories comment the following lines
 # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
-# prevents .htaccess files from disabling it.
+# prevents .htaccess files from disabling it. This also disables
+# serving the files, as the webserver would otherwise serve them
+# as plaintext, and many software packages still put passwords in
+# .php files. Comment out or remove the FilesMatch directive if
+# you really want to serve php as plaintext from user dirs.
 <IfModule mod_userdir.c>
     <Directory /home/*/public_html>
         php_admin_flag engine Off
+        <FilesMatch "\.ph(ar|p|ps|tml)$">
+            Require all denied
+        </FilesMatch>
     </Directory>
 </IfModule>