PHP and Apache Security, SetHandler vs AddHandler
+
Par Remi le dimanche 13 janvier 2013, 09:21 - HowTo - Lien permanent
In official PHP packages in Enterprise Linux and Fedora <= 17, the engine was activated by the AddHandler directive. With Fedora 18, or for the users of my repository it is now activated by the SetHandler directive.
Some explanations.
Old version (in the /etc/httpd/conf.d/php.conf file)
AddHandler php5-script .php
As written in Apache documentation, the suffix presence, anywhere in the file name, will activate the engine. This can raise a security problem, in a public upload space, when a lack of control will allow a user to send an image.php.png file and execute it.
New version, recommended (§8) by PHP project documentation:
<FilesMatch \.php$> SetHandler application/x-httpd-php </FilesMatch>
Now, only a final suffix will activate the engine. So security is improved (even if I really think that giving the control on uploaded file name to the user is really a huge design error). I haven't notice any performance change.
Warning, this change may breaks some configurations.
In the case when you want to allow users to upload .php files in a public space, but deactivate the php engine (as on this blog).
With old configuration, you just have to remove the handler (and probably change the mime type):
<Directory /path/to/blog/public> RemoveHandler .php
<Files ~ "\.php$">
ForceType text/plain
</Files>
</Directory>
This configuration will not work anymore, and must be changed.
For example, I use (and also enable the colorized output of sources for this space) :
<Directory /path/to/blog/public>
<FilesMatch \.php$>
SetHandler None
ForceType text/plain
</FilesMatch>
<FilesMatch \.phps$>
SetHandler application/x-httpd-php-source
</FilesMatch>
</Directory>
So, if you upgrade from Fedora 17 to Fedora 18, or if you update from PHP 5.3 to PHP 5.4 using my repository, don't forget to check and fix all your httpd configuration files.