Using the following default configuration, apache runs .html.php files as if those end with .php: > AddHandler php5-script .php > AddType text/html .php In our case such files were automatically generated by phpDocumentor. As quick workaround, the settings above can be replaces with: > AddType application/x-httpd-php .php This no longer causes .php.html to be executed. To me, it seams like this is an Apache bug. In the unlikely event a website allows .html to be uploaded, it also becomes a security concern.
IMHO, it isn't an Apache bug; The mime type "text/html" should be: AddType text/html html htm and only the "application/x-httpd-php" needs to be: AddType application/x-httpd-php .php This line tell Apache to feed all *.php files through the PHP module.
I've checked my Apache configuration files. When configuring the server, we did not insert those AddHandler/AddType lines. Those are _default_ Fedora Core 6 settings in /etc/httpd/conf.d/php.conf. I can't find any reference to "AddType text/html html htm" in my httpd.conf, which only has minor changes compared to the default configuration. After some config tests, using "AddHandler php5-script .php" alone without any AddType also causes Apache to execute .php.html files too. The AddHandler directive is the preferred method to configure PHP in Apache 2. Using AddType will also clash with mod_security (http://bugs.php.net/bug.php?id=36772).
Right - this is expected behaviour in the default configuration; see: http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext you can force .html files in a particular directory to be served using a specific handler using SetHandler in a <Files> block, for example; if so desired.