I know it's been ages since I posted this, but I figure I should report back.
This ProxyPassMatch directive is in the apache configuration file in /etc/apache2/sites-available/. Clearly, by the apache rules the ProxyPassMatch directive gets executed before any .htaccess file rules get interpreted. That being the case, the request matches that directive for any request ending in .php:
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/
Because of this, any request for a string ending in .php gets passed to the PHP-FPM pool which tries to execute the PHP file.
I solved the 404 not found problem for my particular situation by adding additional (and quite ad-hoc) redirect rules in the apache conf file BEFORE this ProxyPassMatch directive. This has the effect of rewriting things before PHP-FPM gets run on any file.
Sadly, the risk described in the apache wiki is still a problem. That wiki recommends
- keeping uploaded files outside the document root
- scrutinizing pathinfo
- php-fpm should check if the script being invoked is allowed
- If such restrictions cannot be implemented easily, then checks could be performed prior to proxying with a RewriteCond or FallbackResource to ensure that the URI is not altered by the HTTP client
It sounds to me like apache is punting to PHP on this security matter.