Add PHP 8 support on Apache2 conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
phpmyadmin (Debian) |
Fix Released
|
Undecided
|
William Desportes | ||
phpmyadmin (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Confirmed
|
Undecided
|
Unassigned | ||
Kinetic |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
In Focal, the apache2 configuration file shipped with phpmyadmin sets 2 php.ini directives through "php_admin_value": upload_tmp_dir and open_basedir.
After the PHP 8 transition an unintentional regression was introduced and these directives are no longer being set. As a consequence, the temporary phpmyadmin directory at /var/lib/
Moreover (and more relevant), open_basedir is set to NULL, meaning that the php process running phpmyadmin can easily read files outside of the phpmyadmin package scope.
However, due to the notes in https:/
[1] https:/
[2] https:/
[3] https:/
[4] https:/
Finally, this regression could also cause crashes when users set open_basedir globally for apache2 somehow, as discussed in https:/
[ Test Plan ]
* From a fresh ubuntu installation:
- install phpmyadmin and libapache2-mod-php
- browse to http://
- append "php_admin_value open_basedir ." to /etc/apache2/
- restart Apache2
- browse to http://
PHP Fatal error: Uncaught Error: Failed opening required 'PhpMyAdmin/
- Perform all the steps above, now with a phpmyadmin package with the proposed fix
- verify that the error no longer occurs.
ALTERNATIVELY:
Append the following code snippet to the beginning of /usr/share/
$secret_file = '/etc/hosts';
$secret = file_get_
if ($secret) {
error_
}
Restart apache2 and browse to http://
Now, check /var/log/
Affected systems will contain en entry with the contents of /etc/hosts, while patched systems will contain
file_get_
file_get_
[ Where problems could occur ]
Some users may be relying on the upload_tmp_dir being set to /tmp to perform additional verification or collect metrics during phpmyadmin runtime. This would create a regression for those users.
Moreover, users could be extending phpmyadmin in unusual ways by relying on the fact that open_basedir is not set (being able to access the whole filesystem through its php process). This would also create a regression for those users.
[ Other Info ]
This issue has been fixed from lunar and on.
See: (https:/
See: https:/
Related branches
- William Desportes (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 155 lines (+98/-1)7 files modifieddebian/NEWS (+11/-0)
debian/changelog (+14/-0)
debian/conf/apache.conf (+6/-0)
debian/control (+2/-1)
debian/patches/CVE-2023-25727.patch (+24/-0)
debian/patches/Require-PHP-8.0.patch (+39/-0)
debian/patches/series (+2/-0)
- William Desportes (community): Approve (diff)
- Canonical Server Reporter: Pending requested
-
Diff: 166 lines (+101/-2)7 files modifieddebian/NEWS (+11/-0)
debian/changelog (+16/-0)
debian/conf/apache.conf (+6/-0)
debian/control (+3/-2)
debian/patches/CVE-2023-25727.patch (+24/-0)
debian/patches/Require-PHP-8.0.patch (+39/-0)
debian/patches/series (+2/-0)
- William Desportes (community): Approve (debdiff)
- Canonical Server Reporter: Pending requested
-
Diff: 155 lines (+98/-1)7 files modifieddebian/NEWS (+11/-0)
debian/changelog (+14/-0)
debian/conf/apache.conf (+6/-0)
debian/control (+2/-1)
debian/patches/CVE-2023-25727.patch (+24/-0)
debian/patches/Require-PHP-8.0.patch (+39/-0)
debian/patches/series (+2/-0)
tags: | removed: patch sru-release verification-needed-jammy |
Changed in phpmyadmin (Debian): | |
assignee: | nobody → William Desportes (williamdes) |
status: | New → Fix Released |
Changed in phpmyadmin (Ubuntu): | |
status: | New → Fix Released |
summary: |
- [SRU] add PHP 8 on Apache2 conf + Add PHP 8 support on Apache2 conf |
description: | updated |
description: | updated |
An upload of phpmyadmin to kinetic-proposed has been rejected from the upload queue for the following reason: "incomplete Recommends fix (LP: #2016017)".