Description of problem: using addhandler for php has very unexpected behavior that can lead to really bad security problems. addhandler matches the extension anywhere in the filename, so foo.php.jpg will be run as php code. Version-Release number of selected component (if applicable): all in rhel5 How reproducible: always Steps to Reproduce: 1. create file foo.php.jpg with php code as contents and place in web accessible directory 2. visit appropriate url to access file 3. Actual results: php code is run and html displayed Expected results: malformed image, php code displayed as text, something else, but not running it as php Additional info: this has major implications for web apps that allow uploads into web folders for things like images, pdf files, etc. expecting that anything.jpg is safe. see: http://httpd.apache.org/docs/2.0/mod/mod_mime.html#multipleext for info about multiple extensions. a better way to activate php is: <FilesMatch \.php$> SetHandler php5-script ForceType text/html </FilesMatch>
If you have an area of your site which allows untrusted users to upload content and immediately makes that world-viewable, you likely have a security problem anyway. You generally need to lock down such areas at least using ForceType, or simply by making them inaccessible and vetting them before moving them to be accessible.