Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(MODULES-2682) Update Apache Configuration to use FilesMatch instead …
…of AddHandler for PHP Files. The issue with this is that the extension handling behaviour of apache is not well known by most php developers, and many php scripts are open to security issues if this configuration is used (most commonly these scripts handle upload forms which white list image extensions). For example foo.php.jpg will be handled by php. Many distro's no longer use AddHandler in their default config: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/php5/vivid/view/head:/debian/php5.conf. The PHP manual also recommends avoiding it: http://php.net/manual/en/install.unix.apache2.php#example-20 This is based on Alejandro Bednarik's <alejandro.bednarik@gmail.com> original fix, I added proper regex escaping, and a changelog entry. All bugs are mine.
- Loading branch information
Showing
3 changed files
with
15 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ddb6e4f
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not let the admin choose which way to go? Most of our servers use Apache content negotiation (MultiViews option) with PHP and this change disables it.