[pkg-php-pear] Bug#831736: php-htmlpurifier: make the package more hardening friendly

Christoph Anton Mitterer calestyo at scientia.net
Mon Jul 18 20:25:45 UTC 2016

Package: php-htmlpurifier
Version: 4.7.0-2
Severity: normal


It's a reasonable thing with PHP (or any other web interpreted language) is to
harden those as much as possible.
One way of doing that with PHP is to use it's open_basedir INI setting that
allows to restrict any accesses to certain directories.

The php-htmlpurifier is rather unfriendly towards this, as several of its files
are directly placed below /usr/share/php, namely:

If those files shall be used (and I guess they are necessary) one cannot
reasonable use open_basedir any long, as one needs to include the whole
/usr/share/php/ which is of course bad in the light of hardening,
especially when multiple different PHP software runs on a node (where it
makes sense to allow each of them only access to those PHP modules,
that it actually needs).

I think this:
one is, as /usr/share/php/.registry/.channel.htmlpurifier.org/ seems to be
a php-htmlpurifier specific directory.
So one can just happily grant and exception for it, without allowing access
to n other unrealted pices of code.

Is there anything you could do about it? E.g. moving those files to some
HTMLPurifier-specific directory?


More information about the pkg-php-pear mailing list