Hi! A friend of mine ran into known (though not well -known) security issues with Apache's AddHandler directive. Basically, Apache configuration like

# Avoid!
AddHandler php5-fcgi .php

applies to a file called evilupload.php.png, too. Yes. Looking at the current Apache documentation, it should clearly say that AddHandler should not be used any more for security reasons. That's what I would expect. What I find as of 2015-02-15 looks different:

• https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext SetHandler advised, no mention of "security", though
• https://httpd.apache.org/docs/current/mod/mod_mime.html#addhandler Dangerous example "AddHandler cgi-script .cgi" No mention of "security"
• https://httpd.apache.org/docs/current/mod/mod_mime.html#RemoveHandler Promition of AddHandler: "AddHandler server-parsed .html"
• https://httpd.apache.org/docs/current/handler.html#examples Promition of AddHandler: "AddHandler add-footer .html"
• https://wiki.apache.org/httpd/FAQ#How_do_I_enable_CGI_execution_in_directories_other_than_the_ScriptAlias.3F Dangerous recommendation "add a line such as AddHandler cgi-script .cgi"

Maybe that's why AddHandler is still proposed all across the Internet:

• https://wiki.archlinux.org/index.php/Apache_HTTP_Server
• https://wiki.archlinux.org/index.php/Apache_and_FastCGI
• http://aktuell.de.selfhtml.org/artikel/server/apacheconf/apconf15.htm
• https://all-inkl.com/wichtig/
• https://www.devside.net/articles/php
• http://php.net/manual/en/install.unix.php#78781
• http://askubuntu.com/questions/378734/how-to-configure-apache-to-run-php-as-fastcgi-on-ubuntu-12-04-via-terminal
• ..

And maybe that's why it made its way into app-admin/eselect-php (bug #538822) and a few more. Please join the fight. Time to get AddHandler off the Internet!