This is more of a security question: Are there any circumstances (i.e. running PHP as a CGI binary versus Apache module, examples of poor default configurations, etc.) where Apache would render the unprocessed source code for a PHP script if PHP were to crash independently of Apache?
1 Answer
No: Apache delegates script processing entirely to PHP using some method or another (DSO, CGI, suPHP, whatever). Whatever it outputs, will be treated as the response to render to the user.
If it is going to crash, then most of the time, the process will crash without outputting headers. If it does not output headers (which Apache will know because it won't find a single blank line in the response), it'll render a 500 Internal Server Error failed and log a message in your error_log with Premature end of script headers.
If, say, it managed to output:
Content-type: text/plain Segmentation Fault Then the user will see "Segmentation Fault" on their screen, nothing more, nothing less.
Your question also says:
examples of poor default configurations
Yes, if Apache is not configured to process PHP pages, then it will output just dump the file to the user. Other than that, there is no kind of poor configuration that would get you in a half-state where it works most of the time but not all of the time.
- 1There was a report a few years ago where a Facebook server showed PHP script source. However, the webserver software had not been installed properly, and so the code was not being run by the PHP runtime, hence it was downloaded as plain text. Not a failure of PHP though.Alister Bulman– Alister Bulman2012-11-23 23:41:55 +00:00Commented Nov 23, 2012 at 23:41
- 1Very interesting; here is a reference to that if anyone is interested: techcrunch.com/2007/08/11/facebook-source-code-leakedAndrew Odri– Andrew Odri2012-11-24 06:56:46 +00:00Commented Nov 24, 2012 at 6:56