Christoph Anton Mitterer
2012-May-23 00:59 UTC
[Secure-testing-team] Bug#674089: mime-support: removed application/x-httpd-* can lead to immense security problems
Package: mime-support Version: 3.52-1 Severity: critical Tags: security Justification: breaks unrelated software Hi. In 3.52-1 you removed application/x-httpd-* to close #589384. This happened without any notice to the NEWS files and I really wonder whether any though has been spent on which tremendous security effects this can have. Given that most people (reasonably) rely on /etc/mime.types to determine the MIME type for files e.g. with Apache removal of the above means e.g. that php scripts are no longer determined as such, but now diretcly shown as text files. With all secruity effects you can think of and all you even can''t think of. And of course it breaks countless of working installations using e.g. php. a) If you make such a tremendous change you have to announce it in the release file. b) Removing the type is definitly the wrong decision. Apache provides many means to change the handlers and if all that shouldn''t work (which I doubt) on can simply disable the use of /etc/mime.types. It''s not the business of mime.type to please any specifc user,... like it seems to me with the aforementioned bug. Nor should it be mime.type''s business to please any software if that was borken (but as said, apache is not). Obviously application/x-* are not official flags, but if that was the reason we''d have to remove much more than just the php ones. Cheers, Chris. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: amd64 (x86_64) Kernel: Linux 3.2.17-heisenberg (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash mime-support depends on no packages. Versions of packages mime-support recommends: ii file 5.11-1 mime-support suggests no packages. -- no debconf information