Bug 243992 - Files ending with .php.html are executed as PHP
Summary: Files ending with .php.html are executed as PHP
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd   
(Show other bugs)
Version: 6
Hardware: i386
OS: Linux
low
low
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-13 09:36 UTC by Diederik van der Boor
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-03 20:50:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Diederik van der Boor 2007-06-13 09:36:38 UTC
Using the following default configuration, apache runs .html.php files as if
those end with .php:

> AddHandler php5-script .php
> AddType text/html .php

In our case such files were automatically generated by phpDocumentor. As quick
workaround, the settings above can be replaces with:

> AddType application/x-httpd-php .php

This no longer causes .php.html to be executed. To me, it seams like this is an
Apache bug. In the unlikely event a website allows .html to be uploaded, it also
becomes a security concern.

Comment 1 Gianluca Varisco 2007-06-13 09:44:24 UTC
IMHO, it isn't an Apache bug; The mime type "text/html" should be:

AddType text/html html htm

and only the "application/x-httpd-php" needs to be:

AddType application/x-httpd-php .php

This line tell Apache to feed all *.php files through the PHP module.


Comment 2 Diederik van der Boor 2007-06-13 10:18:44 UTC
I've checked my Apache configuration files. When configuring the server, we did
not insert those AddHandler/AddType lines. Those are _default_ Fedora Core 6
settings in /etc/httpd/conf.d/php.conf.

I can't find any reference to "AddType text/html html htm" in my httpd.conf,
which only has minor changes compared to the default configuration.

After some config tests, using "AddHandler php5-script .php" alone without any
AddType also causes Apache to execute .php.html files too. The AddHandler
directive is the preferred method to configure PHP in Apache 2. Using AddType
will also clash with mod_security (http://bugs.php.net/bug.php?id=36772).

Comment 3 Joe Orton 2007-07-03 20:50:08 UTC
Right - this is expected behaviour in the default configuration; see:

http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

you can force .html files in a particular directory to be served using a
specific handler using SetHandler in a <Files> block, for example; if so desired.


Note You need to log in before you can comment on or make changes to this bug.