-1

As far as I know, mod_php can be configured either by means of php.ini or .htaccess files while, for CGI, .htaccess files cannot be used.

Does the fact that mod_php can use .htaccess files makes it more insecure with respect to CGI?

Thomas
  • 4,155
  • 5
  • 21
  • 28
Simus
  • 103
  • 4

2 Answers2

0

Your base assumption is wrong, as PHP in a CGI can scan per-directory .ini files.

Both features can be turned off, either with not seting 

AllowOverride Options

in your Apache config or with setting 

user_ini.filename =      # empty value!

in your global PHP config.

So, in summary, both are similarly safe or unsafe. That said, I wouldn't say that even if only .htaccesswas possible, it would be more unsafe, as there is a restricted set of options you can set in either .htaccess or per-dir .ini files anyway, for security purposes.

Sven
  • 97,248
  • 13
  • 177
  • 225
0

First let's clear up concepts.

.htaccess is not a magic file for you to configure stuff for mod_php or Rewrites only.

.htaccess files are a means for non-admin users to make configurations in specific directories for httpd, if you are the admin of your httpd server, you don't need to use them, even more, it is sane to not use them at all, because of their nature of per-dir configurations, they tend to add more complexity, headaches and lots of "hair pulling" (just search serverfault or stackoverflow).

HTTPD directives often have several valid contexts, so regarding configuration for Apache HTTPD, you could probably define all mod_php directives in virtualhost context, or directory, not just ".htaccess". If you want to know which directives can be used with mod_php you can check its documentation or get all the directives it support with mod_info httpd module, which will tell you all modules you have loaded and their list of provided directives.

And you will wonder, then why is it so widespread? Because most php applications and similar deliver a .htaccess file or more in them so you don't have to think and make it work right away, although in many cases that will just cause you issues in the long run.

What should you do instead? If you are the admin of the httpd server, try to configure non-global directives in virtualhost always over directory, unless you really have no other choice, and don't ever use .htaccess.

Do you know that for each hit the httpd server receives your .htaccess files is read at least three times? and the more you have the more overhead your server will have? Add this to being forced to use mod_php and a non-threaded MPM (prefork) and your httpd server will probably perform in a rather non-ideal fashion.

mod_php is a third party module to parse php files inside Apache HTTPD Server. Many people use it because most distros, still nowadays, deliver it by default, so most lazy people just install apache httpd with it without any more thought because it is kind of install&play, but it brings some disadvantages, as having to force httpd to use a non-scaling MPM, such as prefork because mod_php is not thread-safe, thus many of those people end up complaining about lag spikes when load increases, or can't distinguish when their scripts slow down the httpd server because all they can see is "httpd spawns lots of processes and its takes too long to respond".

Configuring PHP settings. As I mentioned above, as all httpd modules, being third party or not, mod_php provides a set of "directives" that provide functionality, so most mod_php directives provide functionality specific for php parsing, most cases the same that will be provided by mod_php directives, and some others can just be set in php.ini settings, check PHP documentation for that.

What do do? Separate httpd and php parsing. parse your php files in php-fpm server, and make your httpd server reverse proxy those requests to php-fpm with mod_proxy and mod_proxy_fcgi. More info here: https://wiki.apache.org/httpd/PHP-FPM

ezra-s
  • 2,215
  • 1
  • 7
  • 13