[CentOS] php config security concern for c5
Kai Schaetzl
maillists at conactive.com
Tue Nov 17 13:32:09 UTC 2009
Joe Pruett wrote on Mon, 16 Nov 2009 08:43:41 -0800 (PST):
> what in the docs are you reading to indicate forcetype won't work?
http://httpd.apache.org/docs/2.2/mod/core.html#forcetype
says it works only if given in directory-type context and that's unlikely to
happen here. You would rather set the FilesMatch global.
i just
> put that in to match the addtype clause i removed. i didn't even check to
> see if the php module sets the type to text/html by default already.
it does, but you can override it. I guess you can*not* override Forcetype,
which might be a problem. Many PHP outputs will not be text.
I think the AddType can stay there just fine. It's the AddHandler directive
that creates the problem. And one may rather consider this a bug in httpd.
AFAIK, the multiple extension handling is mostly there to allow content
negotiation. If so, then this functionality should be limited to the options
that are available to content-negotiation in that given configuration - e.g.
php.en php.es and not to any "unknown" string.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
More information about the CentOS
mailing list