From 87d3bf2e9ea7da5abbeca3e60ea7cf7abfa6f7f3 Mon Sep 17 00:00:00 2001
From: Mikhail Alferov <malferov@gmail.com>
Date: Mon, 21 Oct 2024 17:41:21 +0300
Subject: [PATCH] cgi-bin.xml Add tags (#3885)

---
 security/cgi-bin.xml | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/security/cgi-bin.xml b/security/cgi-bin.xml
index 4050d59940..5e9a982314 100644
--- a/security/cgi-bin.xml
+++ b/security/cgi-bin.xml
@@ -10,13 +10,14 @@
      Using PHP as a <acronym>CGI</acronym> binary is an option for
      setups that for some reason do not wish to integrate PHP as a
      module into server software (like Apache), or will use PHP with
-     different kinds of <acronym>CGI</acronym> wrappers to create safe chroot and setuid
+     different kinds of <acronym>CGI</acronym> wrappers to create safe
+     <command>chroot</command> and <command>setuid</command>
      environments for scripts.  This setup usually involves installing
-     executable PHP binary to the web server cgi-bin directory.  CERT
-     advisory <link xlink:href="&url.cert;">CA-96.11</link> recommends
-     against placing any interpreters into cgi-bin.  Even if the PHP
-     binary can be used as a standalone interpreter, PHP is designed
-     to prevent the attacks this setup makes possible:
+     executable <command>php</command> binary to the web server <filename class="directory">cgi-bin</filename> directory.
+     CERT advisory <link xlink:href="&url.cert;">CA-96.11</link> recommends
+     against placing any interpreters into <filename class="directory">cgi-bin</filename>.
+     Even if the <command>php</command> binary can be used as a standalone interpreter,
+     PHP is designed to prevent the attacks this setup makes possible:
     </simpara>
     <itemizedlist>
      <listitem>
@@ -25,13 +26,13 @@
        role="url">http://my.host/cgi-bin/php?/etc/passwd</filename>
       </simpara>
       <simpara>
-       The query information in a URL after the question mark (?)  is
+       The query information in a URL after the question mark (<literal>?</literal>)  is
        passed as command line arguments to the interpreter by the CGI
        interface.  Usually interpreters open and execute the file
        specified as the first argument on the command line.
       </simpara>
       <simpara>
-       When invoked as a CGI binary, PHP refuses to interpret the
+       When invoked as a CGI binary, <command>php</command> refuses to interpret the
        command line arguments.
       </simpara>
      </listitem>
@@ -46,7 +47,7 @@
        conventionally used to specify the name of the file to be
        opened and interpreted by the <acronym>CGI</acronym> program.
        Usually some web server configuration directives (Apache:
-       Action) are used to redirect requests to documents like
+       <literal>Action</literal>) are used to redirect requests to documents like
        <filename
        role="url">http://my.host/secret/script.php</filename> to the
        PHP interpreter.  With this setup, the web server first checks
@@ -80,7 +81,7 @@
 
     <simpara>
      If your server does not have any content that is not restricted
-     by password or ip based access control, there is no need for
+     by password or IP based access control, there is no need for
      these configuration options.  If your web server does not allow
      you to do redirects, or the server does not have a way to
      communicate to the PHP binary that the request is a safely
@@ -94,8 +95,8 @@
      role="php">http://my.host/dir/script.php</filename>.
     </simpara>
     <simpara>
-     Redirection can be configured in Apache by using AddHandler and
-     Action directives (see below).
+     Redirection can be configured in Apache by using <literal>AddHandler</literal> and
+     <literal>Action</literal> directives (see below).
     </simpara>
    </sect1>
 
@@ -104,7 +105,7 @@
     <simpara>
      The configuration directive <link
      linkend="ini.cgi.force-redirect">cgi.force_redirect</link>
-     prevents anyone from calling PHP
+     prevents anyone from calling <command>php</command>
      directly with a URL like <filename
      role="php">http://my.host/cgi-bin/php/secretdir/script.php</filename>.
      Instead, PHP will only parse in this mode if it has gone through
@@ -147,7 +148,8 @@ AddHandler php-script .php
     <simpara>
      Also if the method for making sure the requests are not
      redirected, as described in the previous section, is not
-     available, it is necessary to set up a script doc_root that is
+     available, it is necessary to set up a
+     script <link linkend="ini.doc-root">doc_root</link> that is
      different from web document root.
     </simpara>
     <simpara>
@@ -164,17 +166,17 @@ AddHandler php-script .php
     </simpara>
     <simpara>
      Another option usable here is <link
-     linkend="ini.user-dir">user_dir</link>.  When user_dir is unset,
-     only thing controlling the opened file name is
+     linkend="ini.user-dir">user_dir</link>.  When <parameter>user_dir</parameter> is
+     unset, only thing controlling the opened file name is
      <parameter>doc_root</parameter>.  Opening a URL like <filename
      role="url">http://my.host/~user/doc.php</filename> does not
      result in opening a file under users home directory, but a file
      called <filename role="uri">~user/doc.php</filename> under
-     doc_root (yes, a directory name starting with a tilde
+     <parameter>doc_root</parameter> (yes, a directory name starting with a tilde
      [<literal>~</literal>]).
     </simpara>
     <simpara>
-     If user_dir is set to for example <filename
+     If <parameter>user_dir</parameter> is set to for example <filename
      role="dir">public_php</filename>, a request like <filename
      role="url">http://my.host/~user/doc.php</filename> will open a
      file called <filename>doc.php</filename> under the directory