Re: php config security concern for c5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Joe Pruett wrote on Mon, 16 Nov 2009 08:43:41 -0800 (PST):

> what in the docs are you reading to indicate forcetype won't work?

http://httpd.apache.org/docs/2.2/mod/core.html#forcetype
says it works only if given in directory-type context and that's unlikely to 
happen here. You would rather set the FilesMatch global.

i just 
> put that in to match the addtype clause i removed.  i didn't even check to 
> see if the php module sets the type to text/html by default already.

it does, but you can override it. I guess you can*not* override Forcetype, 
which might be a problem. Many PHP outputs will not be text.

I think the AddType can stay there just fine. It's the AddHandler directive 
that creates the problem. And one may rather consider this a bug in httpd. 
AFAIK, the multiple extension handling is mostly there to allow content 
negotiation. If so, then this functionality should be limited to the options 
that are available to content-negotiation in that given configuration - e.g. 
php.en php.es and not to any "unknown" string.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux