Prevent PHP from parsing non-PHP files such as someFile.php.txt

Question

I just installed phpdocumentor, but received strange errors. I finally tracked down the problem.

Phpdocumentor creates various files such as someFile.php.txt which contains PHP code, but aren't meant to be parsed. Turns out, my server is parsing them. I've also tested a file name called someFile.txt, and it isn't being parsed.

How do I prevent my PHP server from parsing files such as someFile.php.txt?

My server is PHP Version 5.4.20, Apache 2.2.15, and CentOS 6.4. My /etc/httpd/conf.d/php.conf file is as follows:

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
  LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
  LoadModule php5_module modules/libphp5-zts.so
</IfModule>

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

Answer 1

It turns out that the default settings of CentOS Apache actually allow this and it is a known vulnerability. In order to fix it, you will need to edit your Apache config settings. Your PHP settings are typically in /etc/httpd/conf.d/php.conf. The default looks like this

AddHandler php5-script .php
AddType text/html .php

We need to change it to

#AddHandler php5-script .php
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>
AddType text/html .php

Restart Apache and that should be the end of parsing any file with an extension after .php

Now, that $ is very important because this is using regex and within regex a $ means "end of string". So that means the file has to END with .php (i.e. no .php.txt) to be parsed by PHP.