httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Gingras <francois.ging...@gmail.com>
Subject Re: [users@httpd] directoryindexing or what?
Date Wed, 19 Oct 2011 01:50:31 GMT


On 18/10/11 02:51 PM, Mark Montague wrote:
> On October 18, 2011 14:35 , Frank Gingras <francois.gingras@gmail.com>
> wrote:
>> You should not use AddType for this. Instead, use:
>>
>> <FilesMatch \.php$>
>> SetHandler application/x-httpd-php
>> </FilesMatch>
>>
>> See http://wiki.apache.org/httpd/PHPDownload and
>> http://www.php.net/manual/en/install.unix.apache2.php
>
> Can you elaborate on that? I use AddType because avoiding the regular
> expression match done by FilesMatch is presumably more efficient. But is
> there a problem with this? If so, what is it?
>
> I checked both of the web pages you link to above (including all of the
> comments on the second one), but while the AddType method is not talked
> about on either of them, it's not warned about, either. The PHPDownload
> page says "check the value of the Content-Type: http header. If it's
> application/x-httpd-php, you'll need to remove all erroneous references
> to that value as a mime type in your config." When I use AddType in my
> configuration, the Content-Type header for a PHP page has the value
> "text/html; charset=utf-8"; hence I am assuming that my use of AddType
> is not an erroneous use.
>
> Any insights you can provide would be appreciated.
>
> --
> Mark Montague
> mark@catseye.org
>

Mark,

The main issue with using AddType is that a misconfigured client can 
download the unaltered php source code, instead of the generated 
text/html output, as intended.

All it takes is browser cache, or an ill-intented HTTP client to pass 
the wrong mime type to the HTTP server.

AddType, on that topic, is merely there to 'suggest' what mime type the 
HTTP client should expect a certain file extension to be. Leaving that 
kind of control in the hands of the HTTP clients is dangerous, 
especially when passwords and other pieces of sensitive information can 
be stored in those scripts.

Up until a year ago or so, the official mod_php documentation was 
*still* recommending AddType over AddHander / SetHandler. Thankfully, 
Rich Bowen rectified that.

Note that you can also use AddHandler with .php, but you need to be 
aware that AddHandler will match any .php extension in the file name, 
and will not enforce it to be present at the end, i.e. foo.php.bak.

I hope this clears up the previous comment. The purpose of the change 
was security, and FilesMatch was deemed a good compromise in that case.

Frank.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message