why is a .txt file being run as a php script?

[Tim]

Mike Wright:
>> For further head explosion refer please refer to
>> http://httpd.apache.org/docs/2.2/content-negotiation.html

Tom Horsley:
> That was the one that made my head explode :-).
> 
> I have just tried it turning off MultiViews in the
> directory where I have my copy of my web pages and
> by gosh, it does indeed just show me the file now
> instead of running the php script, so even though
> my poor brain can't figure out how the heck what the
> apache docs say about MultiViews could possibly
> cause this, it does indeed appear to be MultiViews
> that is causing it.

Content negotiation allows the webserver to hold multiple different
variations of the same data, and for the webserver and web browser to
negotiate between them as to which will be the best version to offer.

That could be a web page written in several different languages (each
actual version being a different file), and your browser (if you
bothered to configure it properly) will state what languages you can
read, and hopefully the server will offer the best match.  That's
relatively simple if there's just one match (e.g. English), becoming
more complicated if there's several matches.  In that case, there's a
weighting applied.  Supposedly, the author can score the pages, so that
one version is promoted as the best, and other's lesser (e.g. their
skills in that language aren't as good, or they used an auto-translater,
so that that page may be harder to understand).  And supposedly the web
browser can score your list of languages that you can read.  However,
I've yet to see a browser do that, it just seems to let you sort the
order of the languages in the list, and the top of the list is
supposedly considered best.  I've yet to see an example of how the page
author can score their pages, short of making explicit configurations of
the webserver, per page.

And, it can negotiation be for different file types.  I could offer
downloads of a document in PDF, ODT, DOC, or just TXT, and between the
server and the browser working it out, they'd hopefully offer you the
best choice (as outlined in the language discussion, above, some
weighting automatically picks the best choice).  Likewise, I could offer
you JPEGs, or GIFs, or PNGs, of the same image, and hopefully offer you
the best choice.  Unfortunately, with these sorts of negotiated
offerings, the usual consideration seems to be merely be picking the
smallest size file.  And most browsers default configuration says that
they'll accept ANY type of file, never mind if that file is actually
supported on your system.  So you can still get offered file types that
you can't actually use.

In any case, language or file type of negotiation, the server uses the
filename as part of the process.  Particularly the file suffix.  And
multiple file suffixes are allowed.  i.e. example.php.txt is a PHP file
(to be treated as a PHP file), *AND* a text file.  As you've found out,
there are problems when you use file suffixes with competing purposes.

For fun and games, you could see what happens with example.jpg.txt and
example.txt.jpg, with images and text files tried with either names.
Similar games with example.html.txt and example.txt.html can be rather
confusing (serving HTML or plain text).  Even more so when you try to
browse using a non-compliant browser, like MSIE, which pays scant
attention to the MIME type sent by the server, and snoops at the file
data content, instead.  Hence, the many misconfigured web servers that
seem to work, because the webmaster knows not what they're doing.  And
hence the many infected Windows machine, because the browser executed
the executable program that was deliberately sent to the browser with a
safe MIDI filetype description, the browser allowing such a safe thing,
then automatically doing what it does with the executable program that
it found, instead.

But, if you're not using content negotiation, and you don't appear to
be, and most people probably do not use it.  You can, and probably
should, disable the feature.  It'll mean less work for the server, and
less chance of surprises.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.