Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 33410 invoked from network); 11 May 2006 06:06:54 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 11 May 2006 06:06:54 -0000 Received: (qmail 20767 invoked by uid 500); 11 May 2006 06:06:48 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 20711 invoked by uid 500); 11 May 2006 06:06:48 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 20700 invoked by uid 99); 11 May 2006 06:06:48 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 May 2006 23:06:48 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=RCVD_IN_SORBS_WEB X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [207.155.248.18] (HELO dreadnought.cnchost.com) (207.155.248.18) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 May 2006 23:06:47 -0700 Received: from [192.168.0.21] (c-24-15-193-17.hsd1.il.comcast.net [24.15.193.17]) by dreadnought.cnchost.com (ConcentricHost(2.54) Relay) with ESMTP id 00DE512B74 for ; Thu, 11 May 2006 02:06:26 -0400 (EDT) Message-ID: <4462D462.3060306@rowe-clan.net> Date: Thu, 11 May 2006 01:06:26 -0500 From: "William A. Rowe, Jr." User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Laying undead myths to rest References: <200605081317.33582.nick@webthing.com> <445FAFC8.20700@rowe-clan.net> <4462C92B.20603@lerdorf.com> In-Reply-To: <4462C92B.20603@lerdorf.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Rasmus Lerdorf wrote: > William A. Rowe, Jr. wrote: > >> Joseph Dane wrote: >> >>> Joshua Slive writes: >>> >>>> In very early versions of the Apache HTTP Server, the >>>> AddType directive was also used to activate >>>> special server-side processing (such as mod_include >>>> or PHP) by assigning "magic" MIME types to files. This can create >>>> problems in more recent versions and should be avoided in favor of >>>> using the AddHandler directive. >>> >>> >>> for the record (not necessarily for the docs) can you expand on the >>> sort of problems that might arise? >> >> >> It actually avoids more problems than it creates, consider the >> example.php.txt >> file, which if done with AddHandler will always run through the php >> handler, >> while if done with mime types will devolve to text/plain through the >> standard >> handler (which is what's implied by the filename ordering.) > > > Right, which is not what the average Joe expects. > > Nick, these ****'s over here were actually around in 1996 when this was > added and understand very well the difference between AddType and > AddHandler. The folks who understand the difference can of course use > either, but for those who don't, AddType's behaviour is the one people > understand. If we asked people to go and change all their AddTypes to > AddHandler it could actually cause a number of nasty security problems > so we have no motivation to do that. The one way that AddHandler could be changed to ***enforce*** security would be to - unlike types and other multiview negotated documents - actually require the filename ENDS with the corresponding pattern. That would mean that sample.cgi.txt would not hit the cgi-handler. That would mean that foo.php.en wouldn't be served correctly, but foo.en.php -could- be properly served. This in fact is a good thing, consider that win32 might grok how to handle foo.pl, but have no friggin clue what to do with foo.pl.en. Thoughts?