Using the following default configuration, apache runs .html.php files as if
those end with .php:
> AddHandler php5-script .php
> AddType text/html .php
In our case such files were automatically generated by phpDocumentor. As quick
workaround, the settings above can be replaces with:
> AddType application/x-httpd-php .php
This no longer causes .php.html to be executed. To me, it seams like this is an
Apache bug. In the unlikely event a website allows .html to be uploaded, it also
becomes a security concern.
IMHO, it isn't an Apache bug; The mime type "text/html" should be:
AddType text/html html htm
and only the "application/x-httpd-php" needs to be:
AddType application/x-httpd-php .php
This line tell Apache to feed all *.php files through the PHP module.
I've checked my Apache configuration files. When configuring the server, we did
not insert those AddHandler/AddType lines. Those are _default_ Fedora Core 6
settings in /etc/httpd/conf.d/php.conf.
I can't find any reference to "AddType text/html html htm" in my httpd.conf,
which only has minor changes compared to the default configuration.
After some config tests, using "AddHandler php5-script .php" alone without any
AddType also causes Apache to execute .php.html files too. The AddHandler
directive is the preferred method to configure PHP in Apache 2. Using AddType
will also clash with mod_security (http://bugs.php.net/bug.php?id=36772).
Right - this is expected behaviour in the default configuration; see:
you can force .html files in a particular directory to be served using a
specific handler using SetHandler in a <Files> block, for example; if so desired.