On Tue, Sep 06, 2005 at 03:46:34PM -0400, Todd Vierling wrote:
> On Sun, 4 Sep 2005, Johnny C. Lam wrote:
> 
> > Since there are already packages that build and install Apache-specific
> > versions of PHP (ap-php4 and ap-php5), I think we should change the
> > PHP packages to *not* configure with:
> >
> > 	--enable-force-cgi-redirect
> 
> This I agree with.

I do not. It is important security measure according to PHP (Zend)
developers. It can be switched off via php.ini's cgi.force_redirect
easily.
 
> > 	--enable-discard-path
> 
> This I would agree with, only if it can be shown that it still works if the
> PHP CGI program is run from somewhere other than the /cgi-bin/php path of a
> non-Apache webserver.

According to:

http://www.php.net/manual/en/security.cgi-bin.shell.php

it appears such setup would not work, PATH_INFO and PATH_TRANSLATED
would contain incorrect info.
 
> > We should also build them with FastCGI support (--enable-fastcgi) to
> > facilitate setting up a usable PHP installation for use with non-Apache
> > web-servers.  This would also be usable by Apache if a webadmin chooses
> > to use FastCGI PHP instead of mod_php.
> 
> Yes, since libfcgi is included with the package (thus this adds no more
> dependencies).

Yes, this would be useful - thanks for pointing out.

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>            http://www.NetBSD.cz/
-=- We can walk our road together if our goals are all the same;     -=-
-=- We can run alone and free if we pursue a different aim.          -=-