diff --git a/security/cgi-bin.xml b/security/cgi-bin.xml
index 4050d59940..5e9a982314 100644
--- a/security/cgi-bin.xml
+++ b/security/cgi-bin.xml
@@ -10,13 +10,14 @@
Using PHP as a CGI binary is an option for
setups that for some reason do not wish to integrate PHP as a
module into server software (like Apache), or will use PHP with
- different kinds of CGI wrappers to create safe chroot and setuid
+ different kinds of CGI wrappers to create safe
+ chroot and setuid
environments for scripts. This setup usually involves installing
- executable PHP binary to the web server cgi-bin directory. CERT
- advisory CA-96.11 recommends
- against placing any interpreters into cgi-bin. Even if the PHP
- binary can be used as a standalone interpreter, PHP is designed
- to prevent the attacks this setup makes possible:
+ executable php binary to the web server cgi-bin directory.
+ CERT advisory CA-96.11 recommends
+ against placing any interpreters into cgi-bin.
+ Even if the php binary can be used as a standalone interpreter,
+ PHP is designed to prevent the attacks this setup makes possible:
@@ -25,13 +26,13 @@
role="url">http://my.host/cgi-bin/php?/etc/passwd
- The query information in a URL after the question mark (?) is
+ The query information in a URL after the question mark (?) is
passed as command line arguments to the interpreter by the CGI
interface. Usually interpreters open and execute the file
specified as the first argument on the command line.
- When invoked as a CGI binary, PHP refuses to interpret the
+ When invoked as a CGI binary, php refuses to interpret the
command line arguments.
@@ -46,7 +47,7 @@
conventionally used to specify the name of the file to be
opened and interpreted by the CGI program.
Usually some web server configuration directives (Apache:
- Action) are used to redirect requests to documents like
+ Action) are used to redirect requests to documents like
http://my.host/secret/script.php to the
PHP interpreter. With this setup, the web server first checks
@@ -80,7 +81,7 @@
If your server does not have any content that is not restricted
- by password or ip based access control, there is no need for
+ by password or IP based access control, there is no need for
these configuration options. If your web server does not allow
you to do redirects, or the server does not have a way to
communicate to the PHP binary that the request is a safely
@@ -94,8 +95,8 @@
role="php">http://my.host/dir/script.php.
- Redirection can be configured in Apache by using AddHandler and
- Action directives (see below).
+ Redirection can be configured in Apache by using AddHandler and
+ Action directives (see below).
@@ -104,7 +105,7 @@
The configuration directive cgi.force_redirect
- prevents anyone from calling PHP
+ prevents anyone from calling php
directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php.
Instead, PHP will only parse in this mode if it has gone through
@@ -147,7 +148,8 @@ AddHandler php-script .php
Also if the method for making sure the requests are not
redirected, as described in the previous section, is not
- available, it is necessary to set up a script doc_root that is
+ available, it is necessary to set up a
+ script doc_root that is
different from web document root.
@@ -164,17 +166,17 @@ AddHandler php-script .php
Another option usable here is user_dir. When user_dir is unset,
- only thing controlling the opened file name is
+ linkend="ini.user-dir">user_dir. When user_dir is
+ unset, only thing controlling the opened file name is
doc_root. Opening a URL like http://my.host/~user/doc.php does not
result in opening a file under users home directory, but a file
called ~user/doc.php under
- doc_root (yes, a directory name starting with a tilde
+ doc_root (yes, a directory name starting with a tilde
[~]).
- If user_dir is set to for example user_dir is set to for example public_php, a request like http://my.host/~user/doc.php will open a
file called doc.php under the directory