[CentOS] php config security concern for c5

Tue Nov 17 13:32:09 UTC 2009
Kai Schaetzl <maillists at conactive.com>

Joe Pruett wrote on Mon, 16 Nov 2009 08:43:41 -0800 (PST):

> what in the docs are you reading to indicate forcetype won't work?

http://httpd.apache.org/docs/2.2/mod/core.html#forcetype
says it works only if given in directory-type context and that's unlikely to 
happen here. You would rather set the FilesMatch global.

i just 
> put that in to match the addtype clause i removed.  i didn't even check to 
> see if the php module sets the type to text/html by default already.

it does, but you can override it. I guess you can*not* override Forcetype, 
which might be a problem. Many PHP outputs will not be text.

I think the AddType can stay there just fine. It's the AddHandler directive 
that creates the problem. And one may rather consider this a bug in httpd. 
AFAIK, the multiple extension handling is mostly there to allow content 
negotiation. If so, then this functionality should be limited to the options 
that are available to content-negotiation in that given configuration - e.g. 
php.en php.es and not to any "unknown" string.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com