Quick patch for PHP 5.2.5 breaking Horde on Plesk 8.2.1 and earlier
Submitted by robot_terror on Mon, 12/10/2007 - 13:15.
Update PHP to version PHP 5.2.5 while running Plesk? Horde WebMail broken? Log in and become the root system user and run this one-liner, then restart Apache:
# cat > /etc/httpd/conf.d/zz050a_horde_php_patch.conf <<EOF
<DirectoryMatch /usr/share/psa-horde>
php_admin_value include_path "/usr/share/psa-horde/lib:/usr/share/psa-horde:/usr/share/psa-horde/pear:."
</DirectoryMatch>
EOF
# service httpd configtest && service httpd graceful
Some discussion:
PHP 5.2.5 introduced a security fix to not allow scripts to override explicitly set php_admin_value and php_admin_flag directives in httpd.conf and its included configuration files. For more information, please see:
http://www.php.net/ChangeLog-5.php
Note the security fixes in this release:
Security Fixes * Fixed dl() to only accept filenames. reported by Laurent Gaffie. * Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). * Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. * Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie. * Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications reported by SecurityReason. * Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms). * Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).
Many applications use ini_set() to change php_admin* settings on the fly, especially "include_path". Mambo and Joomla are examples of such applications. Plesk sets some php_admin* directives explicitly in its httpd configuration files, including "include_path". Thus, this combination of ini_set and php_admin* practices now conflicts with PHP
5.2.5 *BY DESIGN*.
The workaround above moves the include path into the Apache configuration, thus restoring Horde's functionality. If you have other conflicts you can perform the same type maneuver, probably in a conf/vhost.conf file for the affected Plesk-controlled domain.
P.S. Thanks to the people I work with for making this patch happen!