Bug#562006: apache2 default php setup is wrong

[Stefan Fritsch <sf@sfritsch.de>]

reassign 562006 libapache2-mod-php5
forcemerge 491928 562006
thanks

On Monday 21 December 2009, Paul Tagliamonte wrote:
> <FilesMatch \.php$>
>   SetHandler application/x-httpd-php
> </FilesMatch>

This has been fixed in mod_php 5.2.11.dfsg.1-2. Probably you are using 
an old version of /etc/apache2/mods-available/php5.conf (or you did 
the bug report from a different machine).

> the issue lies in the fact that AddType 'suggests' to the HTTP
>  clients what to do with .php files, instead of forcing the server
>  to parse it. This causes the server to hand out the PHP file
>  because it depends on the client to ask nicely.

This interpretation is not correct. The problem with AddType is that 
things like blah.php.jpg will be executed as PHP script. Or looking at 
it differently: you describe the normal meaning of AddType but mod_php 
does some special magic to execute the php script.

> This behavior, and work-around is outlined clearly here [1].
> 
> This can be considered a security risk, it is common to have
>  passwords and other sensitive data in the php script.

No, the issue described there is that if you have viewed the file 
before enabling mod_php, the browser will cache the source code.