Regex to detect PHP exec mode

Jamie, hi!

Could you please be kind to update regex that detects PHP wrapper script.

I mean php-lib.pl in /usr/libexec/webmin/virtual-server/

Now it uses

/^\Q$d->{'home'}\E\/fcgi-bin\/php.\.fcgi/
/^application\/x-httpd-php.\s+\/cgi-bin\/php.\.cgi/

I propose

/^\Q$d->{'home'}\E\/fcgi-bin\/php\w+\.fcgi/
/^application\/x-httpd-php.\s+\/cgi-bin\/php\w+\.cgi/

If you use different name for PHP wrapper then . (Any single character) is not something that would work.

If you update, it I would be really appreciate, as I don't want to update it manually all the time!?

Respectfully, Ilia

Status: 
Active

Comments

Howdy -- Jamie will respond with more information shortly.

Just so that we can better understand the use-case -- what PHP wrapper file names are you using? And is there a reason the PHP wrapper names are different on your system?

I don't believe we've seen a server that used different names before.

Ilia's picture
Submitted by Ilia on Wed, 02/19/2014 - 11:40

It is wrong (security wise) to have a PHP wrapper in cgi-bin directory; fcgi-bin is not world accessible, so it's not really an issue. The name is irrelevant really. It starts with php and can be anything..

The point is to create as flexible system as possible. There is no reason to tie people to certain patters. (like proprietary software does). As you're developing open-source project, it's better to provide as much freedom in flexibility as possible.

In addition, there is no reason that Virtualmin wouldn't be able to create/manage Apache httpd containing only 443 (https) records. Now, in order to create a virtualhost (using Virtualmin), you have to create non-SSL record as well. There is no limitation in httpd, that tells us, that we can't use solely SSL site. I would also extend this.

And one more! :) As you use sendratings.pl (/cgi-bin/getratings.cgi) script to gather statistics about user preferences of scripts' installations and I bet you have only good reasons behind this, but it's totally WRONG to do it without explicit user consent, and everytime the data is transferred. Just the same way as grabbing user IP (/cgi-bin/ip.cgi). There is no reason to to perform license check (/cgi-bin/vlicence.cgi) for life-time licenses.

Thank you for your work! Please keep sticking up to the fundamentals of open-source software, keeping it as free as possible (free as in FREEDOM) ;)

All the best to you, Ilia

Those are good points ... But your regexp change doesn't seem to effect which directory the PHP wrappers are allowed to be in?

Ilia's picture
Submitted by Ilia on Thu, 02/20/2014 - 01:30

Yes, it not affecting the directory. Now you can easily extend it to the directory name as well, which will be even better!

Thank you, Jamie!!

Having the PHP wrappers be in different directories wouldn't work though, as all the Virtualmin code that creates them uses cgi-bin and fcgi-bin. But I will fix the initial problem you reported of the wrapper only handling a single digit PHP version.

What I do when people want a SSL only site is put a bit of mod_rewrite code in their virtualhost that sends all nonsecure links to the https version of the site. I even setup a separate template for those types of sites.

Ilia's picture
Submitted by Ilia on Fri, 02/21/2014 - 00:39

But I will fix the initial problem you reported of the wrapper only handling a single digit PHP version.

Thank you!

What I do when people want a SSL only site is put a bit of mod_rewrite code in their virtualhost that sends all nonsecure links to the https version of the site. I even setup a separate template for those types of sites.

We do that. But sometimes we don't want any rewrites and want only SSL.

It's called flexibility. There is no reason to limit basic (possible) functionality.

Ilia's picture
Submitted by Ilia on Fri, 02/21/2014 - 13:06

Jamie,

Forgot one more thing!! It's very important that virtual-servers in drop-down menu were build on the fly, based on current Apache, Bind, Postfix and etc configuration. For example, I might create records manually for httpd,bind and so on, and now, if you do so, they are not going to be displayed on the virtual-servers list. Right?

I think it would be the right way?

Best regards, Ilia

No, we don't generate the list of domains that way - it would be too slow to scan all those configs and match them up. Instead, Virtualmin has a directory at /etc/webmin/virtual-server/domains that contains one data file per domain.

Ilia's picture
Submitted by Ilia on Fri, 02/21/2014 - 23:10

Yes, this is true, if it's performed every time. May be creating refresh button, that would check for updates in conf files would be good?

If you have a domain you have manually created in the Apache and BIND config files, you can use the Add Servers -> Import Virtual Server to bring it under Virtualmin's control.

Also, making changes to the DNS zone or Apache config for existing domains will work just fine.

Ilia's picture
Submitted by Ilia on Mon, 02/24/2014 - 01:59

Thanks, Jamie!

Are you willing you fix the regex to the next release (at lease for the file)?