Bug 243992

Summary: Files ending with .php.html are executed as PHP
Product: [Fedora] Fedora Reporter: Diederik van der Boor <vdboor>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-03 20:50:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Diederik van der Boor 2007-06-13 09:36:38 UTC 
Using the following default configuration, apache runs .html.php files as if
those end with .php:

> AddHandler php5-script .php
> AddType text/html .php

In our case such files were automatically generated by phpDocumentor. As quick
workaround, the settings above can be replaces with:

> AddType application/x-httpd-php .php

This no longer causes .php.html to be executed. To me, it seams like this is an
Apache bug. In the unlikely event a website allows .html to be uploaded, it also
becomes a security concern.
Comment 1 Gianluca Varisco 2007-06-13 09:44:24 UTC 
IMHO, it isn't an Apache bug; The mime type "text/html" should be:

AddType text/html html htm

and only the "application/x-httpd-php" needs to be:

AddType application/x-httpd-php .php

This line tell Apache to feed all *.php files through the PHP module.
Comment 2 Diederik van der Boor 2007-06-13 10:18:44 UTC 
I've checked my Apache configuration files. When configuring the server, we did
not insert those AddHandler/AddType lines. Those are _default_ Fedora Core 6
settings in /etc/httpd/conf.d/php.conf.

I can't find any reference to "AddType text/html html htm" in my httpd.conf,
which only has minor changes compared to the default configuration.

After some config tests, using "AddHandler php5-script .php" alone without any
AddType also causes Apache to execute .php.html files too. The AddHandler
directive is the preferred method to configure PHP in Apache 2. Using AddType
will also clash with mod_security (http://bugs.php.net/bug.php?id=36772).
Comment 3 Joe Orton 2007-07-03 20:50:08 UTC 
Right - this is expected behaviour in the default configuration; see:

http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

you can force .html files in a particular directory to be served using a
specific handler using SetHandler in a <Files> block, for example; if so desired.