It was suggested that a malfunctioning web server could send unprocessed .php files to the client; potentially exposing sensitive code. Could an Apache file directive prevent sending
.php files unless they were processed?
The Apache Files directive could prevent an extension completely, but that would prevent all PHP scripts.
For example, this Files directive (untested) matches files ending in
.inc, denying requests for these files.
<Files ~ "\.(inc)$"> Order allow,deny Deny from all Satisfy All </Files>
What if something similar was placed inside a test for a module?
<IfModule !mod_php4.c> <Files ~ "\.(php)$"> Order allow,deny Deny from all Satisfy All </Files> </IfModule>
I am thinking that a failed PHP module could be tested and
.php files could be conditionally blocked with the above
Should the server deny all PHP files if the module crashed and burned on startup? Could a solution similar to this be put into effect if the module crashed and burned after startup?