Description of problem:
using addhandler for php has very unexpected behavior that can lead to really bad security problems. addhandler matches the extension anywhere in the filename, so foo.php.jpg will be run as php code.
Version-Release number of selected component (if applicable):
all in rhel5
Steps to Reproduce:
1. create file foo.php.jpg with php code as contents and place in web accessible directory
2. visit appropriate url to access file
php code is run and html displayed
malformed image, php code displayed as text, something else, but not running it as php
this has major implications for web apps that allow uploads into web folders for things like images, pdf files, etc. expecting that anything.jpg is safe.
for info about multiple extensions.
a better way to activate php is:
If you have an area of your site which allows untrusted users to upload content and immediately makes that world-viewable, you likely have a security problem anyway. You generally need to lock down such areas at least using ForceType, or simply by making them inaccessible and vetting them before moving them to be accessible.