[CentOS] php config security concern for c5
Joe Pruett
joey at clean.q7.com
Wed Nov 18 17:39:30 UTC 2009
>> what in the docs are you reading to indicate forcetype won't work?
>
> http://httpd.apache.org/docs/2.2/mod/core.html#forcetype
> says it works only if given in directory-type context and that's unlikely to
> happen here. You would rather set the FilesMatch global.
i think that directory context is not just <Directory>, and the text at
the url says the directive may be placed in <directory>, <location>, or
<files> which i assume means <filesmatch> as well.
> i just
>> put that in to match the addtype clause i removed. i didn't even check to
>> see if the php module sets the type to text/html by default already.
>
> it does, but you can override it. I guess you can*not* override Forcetype,
> which might be a problem. Many PHP outputs will not be text.
i did some more testing and i was able to override the forcetype (if it
truly is working) via header('content-type'), like you'd do for serving
images via php. i guess i haven't tested without forcetype yet...
> I think the AddType can stay there just fine. It's the AddHandler directive
> that creates the problem. And one may rather consider this a bug in httpd.
> AFAIK, the multiple extension handling is mostly there to allow content
> negotiation. If so, then this functionality should be limited to the options
> that are available to content-negotiation in that given configuration - e.g.
> php.en php.es and not to any "unknown" string.
right, the reason is to allow foo.en.html or foo.html.en. i'm not sure i
agree that is good, but for simple text conditionals it is fine. using it
for php is just bad.
More information about the CentOS
mailing list