Bug 57778 - Effect of AddType should be documented in more detail
Summary: Effect of AddType should be documented in more detail
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-30 01:14 UTC by sebastian
Modified: 2015-04-28 19:25 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description sebastian 2015-03-30 01:14:35 UTC 
Hi!

The latest documentation of the AddType directive [1] says that it "maps the given filename extensions onto the specified content type".  What it is not saying is what that mapping is responsible for.

I read the docs like adding a mapping results in a server response header

  Content-type: xxxx

rathern than sending the type set by DefaultType, and nothing more.

A fellow developer explained that a call to AddType can affect the handler used, too.  Is that correct?  Right now my impression is that AddType is more like AddHandler /plus/ producing a Content-Type header rather than just controlling server response header content.  The docs should have an answer or a quality pointer to more details, at least.

So please add details about the actual effects of using the Addtype directive.  Many thanks!


[1] https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
Comment 1 sebastian 2015-04-05 21:33:57 UTC 
Update:  With Apache 2.4 the line

  AddType application/x-httpd-php .php .php5 .phtml

does get my PHP files executed, I verified.

That's not documented at [1].  Please document it.  Thank you!
Comment 2 Eric Covener 2015-04-22 17:27:43 UTC 
thanks for the report. I've added a note in trunk and 2.4 about the legacy type-as-handler stuff.
Comment 3 sebastian 2015-04-22 18:39:47 UTC 
(In reply to Eric Covener from comment #2)
> thanks for the report. I've added a note in trunk and 2.4 about the legacy
> type-as-handler stuff.

Thanks for your work on this matter.

I found the related commit at r1675426:
https://svn.apache.org/viewvc?view=revision&revision=1675426

To be honest, I find the note rather hard to understand, even _with_ a background of having understood what's going on to some extent prior to reading.
And there is no mention of potential danger / security.

I'd provide a patch if I knew how to put it well.
Quoting a public mail of yours, 

  "If no handler is explicitly set, the content-type is copied over
  as the handler."

put it much more clearly.

Besides:

 * there is a typo "diretives", 

 * some double quotes may need conversion to """ (not sure) and

 * for "magic" I would use "artificial", instead.

My vote for re-opening, please.
Comment 4 Eric Covener 2015-04-22 19:37:29 UTC 
updated in r1675471, trunk only for now. I've tried to lead with the short form and warn at the end.
Comment 5 sebastian 2015-04-28 19:25:22 UTC 
(In reply to Eric Covener from comment #4)
> updated in r1675471, trunk only for now. I've tried to lead with the short
> form and warn at the end.

A lot better now.

For the

  Configurations that rely on such "synthetic" types should be avoided

a rationale would be cool.

On

  Additionally, configurations that restrict access to SetHandler
  or AddHandler should restrict access to this directive as well

I'm unsure what that really is about. If it means to say "AddType has the same security implications as AddHandler (getting you into remote code execution); you may want to use ForceType wrapped by FilesMatch, instead", that's the kind of warning I hoped for.