Re: directoryindexing or what?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/10/11 02:51 PM, Mark Montague wrote:

On October 18, 2011 14:35 , Frank Gingras <francois.gingras@xxxxxxxxx>
wrote:

You should not use AddType for this. Instead, use:

<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>

See http://wiki.apache.org/httpd/PHPDownload and
http://www.php.net/manual/en/install.unix.apache2.php


Can you elaborate on that? I use AddType because avoiding the regular
expression match done by FilesMatch is presumably more efficient. But is
there a problem with this? If so, what is it?

I checked both of the web pages you link to above (including all of the
comments on the second one), but while the AddType method is not talked
about on either of them, it's not warned about, either. The PHPDownload
page says "check the value of the Content-Type: http header. If it's
application/x-httpd-php, you'll need to remove all erroneous references
to that value as a mime type in your config." When I use AddType in my
configuration, the Content-Type header for a PHP page has the value
"text/html; charset=utf-8"; hence I am assuming that my use of AddType
is not an erroneous use.

Any insights you can provide would be appreciated.

--
Mark Montague
mark@xxxxxxxxxxx



Mark,
The main issue with using AddType is that a misconfigured client can download the unaltered php source code, instead of the generated text/html output, as intended.
All it takes is browser cache, or an ill-intented HTTP client to pass the wrong mime type to the HTTP server.
AddType, on that topic, is merely there to 'suggest' what mime type the HTTP client should expect a certain file extension to be. Leaving that kind of control in the hands of the HTTP clients is dangerous, especially when passwords and other pieces of sensitive information can be stored in those scripts.
Up until a year ago or so, the official mod_php documentation was *still* recommending AddType over AddHander / SetHandler. Thankfully, Rich Bowen rectified that.
Note that you can also use AddHandler with .php, but you need to be aware that AddHandler will match any .php extension in the file name, and will not enforce it to be present at the end, i.e. foo.php.bak.
I hope this clears up the previous comment. The purpose of the change was security, and FilesMatch was deemed a good compromise in that case. 

Frank.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux