[CentOS] php config security concern for c5

Wed Nov 18 17:39:30 UTC 2009
Joe Pruett <joey at clean.q7.com>

>> what in the docs are you reading to indicate forcetype won't work?
>
> http://httpd.apache.org/docs/2.2/mod/core.html#forcetype
> says it works only if given in directory-type context and that's unlikely to
> happen here. You would rather set the FilesMatch global.

i think that directory context is not just <Directory>, and the text at 
the url says the directive may be placed in <directory>, <location>, or 
<files> which i assume means <filesmatch> as well.

> i just
>> put that in to match the addtype clause i removed.  i didn't even check to
>> see if the php module sets the type to text/html by default already.
>
> it does, but you can override it. I guess you can*not* override Forcetype,
> which might be a problem. Many PHP outputs will not be text.

i did some more testing and i was able to override the forcetype (if it 
truly is working) via header('content-type'), like you'd do for serving 
images via php.  i guess i haven't tested without forcetype yet...

> I think the AddType can stay there just fine. It's the AddHandler directive
> that creates the problem. And one may rather consider this a bug in httpd.
> AFAIK, the multiple extension handling is mostly there to allow content
> negotiation. If so, then this functionality should be limited to the options
> that are available to content-negotiation in that given configuration - e.g.
> php.en php.es and not to any "unknown" string.

right, the reason is to allow foo.en.html or foo.html.en.  i'm not sure i 
agree that is good, but for simple text conditionals it is fine.  using it 
for php is just bad.