[pkg-php-pear] Bug#831736: php-htmlpurifier: make the package more hardening friendly
Christoph Anton Mitterer
calestyo at scientia.net
Mon Jul 18 20:25:45 UTC 2016
Package: php-htmlpurifier
Version: 4.7.0-2
Severity: normal
Hi.
It's a reasonable thing with PHP (or any other web interpreted language) is to
harden those as much as possible.
One way of doing that with PHP is to use it's open_basedir INI setting that
allows to restrict any accesses to certain directories.
The php-htmlpurifier is rather unfriendly towards this, as several of its files
are directly placed below /usr/share/php, namely:
/usr/share/php/HTMLPurifier.safe-includes.php
/usr/share/php/HTMLPurifier.php
/usr/share/php/HTMLPurifier.kses.php
/usr/share/php/HTMLPurifier.includes.php
/usr/share/php/HTMLPurifier.func.php
/usr/share/php/HTMLPurifier.composer.php
/usr/share/php/HTMLPurifier.autoload.php
/usr/share/php/HTMLPurifier.auto.php
If those files shall be used (and I guess they are necessary) one cannot
reasonable use open_basedir any long, as one needs to include the whole
/usr/share/php/ which is of course bad in the light of hardening,
especially when multiple different PHP software runs on a node (where it
makes sense to allow each of them only access to those PHP modules,
that it actually needs).
I think this:
/usr/share/php/.registry/.channel.htmlpurifier.org/htmlpurifier.reg
one is, as /usr/share/php/.registry/.channel.htmlpurifier.org/ seems to be
a php-htmlpurifier specific directory.
So one can just happily grant and exception for it, without allowing access
to n other unrealted pices of code.
Is there anything you could do about it? E.g. moving those files to some
HTMLPurifier-specific directory?
Thanks,
Chris.
More information about the pkg-php-pear
mailing list