Home » Quick patch for PHP 5.2.5 breaking Horde on Plesk 8.2.1 and earlier

Quick patch for PHP 5.2.5 breaking Horde on Plesk 8.2.1 and earlier

Submitted by robot_terror on Mon, 12/10/2007 - 13:15.

Update PHP to version PHP 5.2.5 while running Plesk? Horde WebMail broken? Log in and become the root system user and run this one-liner, then restart Apache:

# cat > /etc/httpd/conf.d/zz050a_horde_php_patch.conf <<EOF 
<DirectoryMatch /usr/share/psa-horde>
    php_admin_value include_path "/usr/share/psa-horde/lib:/usr/share/psa-horde:/usr/share/psa-horde/pear:."
</DirectoryMatch>
EOF
# service httpd configtest && service httpd graceful

Some discussion:

PHP 5.2.5 introduced a security fix to not allow scripts to override explicitly set php_admin_value and php_admin_flag directives in httpd.conf and its included configuration files. For more information, please see:

http://www.php.net/ChangeLog-5.php

Note the security fixes in this release:

Security Fixes

* Fixed dl() to only accept filenames. reported by Laurent Gaffie.
* Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887).
* Fixed htmlentities/htmlspecialchars not to accept partial multibyte
sequences.
* Fixed possible triggering of buffer overflows inside glibc
implementations of the fnmatch(), setlocale() and glob() functions.
Reported by Laurent Gaffie.
* Fixed "mail.force_extra_parameters" php.ini directive not to be
modifiable in .htaccess due to the security implications reported by
SecurityReason.
* Fixed bug #42869 (automatic session id insertion adds sessions id to
non-local forms).
* Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be
overwritten with ini_set()).

Many applications use ini_set() to change php_admin* settings on the fly, especially "include_path". Mambo and Joomla are examples of such applications. Plesk sets some php_admin* directives explicitly in its httpd configuration files, including "include_path". Thus, this combination of ini_set and php_admin* practices now conflicts with PHP 5.2.5 *BY DESIGN*.

The workaround above moves the include path into the Apache configuration, thus restoring Horde's functionality. If you have other conflicts you can perform the same type maneuver, probably in a conf/vhost.conf file for the affected Plesk-controlled domain.

P.S. Thanks to the people I work with for making this patch happen!

»

Reply

  • You can use Mediawiki syntax. It is possible that not all formatting options are supported at the moment.
    Links to other pages: [[Page Title]] or [[path/to/page|Title]].
    External links: http://example.com or [http://example.com some link title].
    Interwiki links: [[site:Page Title]].
    You can use the following interwiki links: path, gdo, wp

More information about formatting options