[PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/
(Sorry if this is a duplicate. I sent one earlier with OT: prefixing the subject line and I think this list software kills the message despite being proper netiquette. *sigh*) I have your basic web tree setup. develo...@mypse:/var/www/dart2$ tree -d -I 'CVS' |-- UPDATES |-- ajax |-- images | |-- gui | `-- icons `-- includes |-- classes |-- css |-- functions | `-- xml |-- gui |-- js | |-- charts `-- pear |-- Auth |-- Benchmark |-- DB |-- Date |-- File |-- Spreadsheet `-- XML_RPC It's not ideal. I would normally have /includes/ in a directory outside the servable webroot directory, but for various reasons I won't go into, this is how it is. Now I have Apache configured to NOT allow directory browsing. I also have a index.html file in most all main directories to log attempts and also redirect back to the main site. What I don't know how to protect against is if someone were to KNOW the name of a .php file. Say I have /includes/foo.inc.php for example, someone can put that in their URL and apache will happily serve it up. :( Is there a directive to prevent this? I would think it should be doable since PHP reads the file directly off of disk via a command like this and isn't really served perse: require_once ROOTPATH.'/includes/functions/foo.inc.php'; Anyone? Anyone? Beuller? Beuller? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/
Daevid Vincent wrote: (Sorry if this is a duplicate. I sent one earlier with OT: prefixing the subject line and I think this list software kills the message despite being proper netiquette. *sigh*) I have your basic web tree setup. develo...@mypse:/var/www/dart2$ tree -d -I 'CVS' |-- UPDATES |-- ajax |-- images | |-- gui | `-- icons `-- includes |-- classes |-- css |-- functions | `-- xml |-- gui |-- js | |-- charts `-- pear |-- Auth |-- Benchmark |-- DB |-- Date |-- File |-- Spreadsheet `-- XML_RPC It's not ideal. I would normally have /includes/ in a directory outside the servable webroot directory, but for various reasons I won't go into, this is how it is. Now I have Apache configured to NOT allow directory browsing. I also have a index.html file in most all main directories to log attempts and also redirect back to the main site. What I don't know how to protect against is if someone were to KNOW the name of a .php file. Say I have /includes/foo.inc.php for example, someone can put that in their URL and apache will happily serve it up. :( Is there a directive to prevent this? I would think it should be doable since PHP reads the file directly off of disk via a command like this and isn't really served perse: require_once ROOTPATH.'/includes/functions/foo.inc.php'; Anyone? Anyone? Beuller? Beuller? LocationMatch ^/includes/ Order allow,deny Deny from all /LocationMatch Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/ [SOLVED]
-Original Message- From: Robert Cummings [mailto:rob...@interjinn.com] Sent: Thursday, April 01, 2010 7:23 PM To: Daevid Vincent Cc: php-general@lists.php.net Subject: Re: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/ Daevid Vincent wrote: (Sorry if this is a duplicate. I sent one earlier with OT: prefixing the subject line and I think this list software kills the message despite being proper netiquette. *sigh*) I have your basic web tree setup. develo...@mypse:/var/www/dart2$ tree -d -I 'CVS' |-- UPDATES |-- ajax |-- images | |-- gui | `-- icons `-- includes |-- classes |-- css |-- functions | `-- xml |-- gui |-- js | |-- charts `-- pear |-- Auth |-- Benchmark |-- DB |-- Date |-- File |-- Spreadsheet `-- XML_RPC It's not ideal. I would normally have /includes/ in a directory outside the servable webroot directory, but for various reasons I won't go into, this is how it is. Now I have Apache configured to NOT allow directory browsing. I also have a index.html file in most all main directories to log attempts and also redirect back to the main site. What I don't know how to protect against is if someone were to KNOW the name of a .php file. Say I have /includes/foo.inc.php for example, someone can put that in their URL and apache will happily serve it up. :( Is there a directive to prevent this? I would think it should be doable since PHP reads the file directly off of disk via a command like this and isn't really served perse: require_once ROOTPATH.'/includes/functions/foo.inc.php'; Anyone? Anyone? Beuller? Beuller? LocationMatch ^/includes/ Order allow,deny Deny from all /LocationMatch Brilliant! Thanks Rob. Here is the final that I went with (turns out I had to mind the /includes/js directory or all my jQuery stuff STB, so that's why I call each directory out like that): develo...@myvm:/etc/apache2/sites-enabled$ tail -n20 000-default # [dv] added 2010-04-01 to prevent serving include files and such LocationMatch /UPDATES/ Order allow,deny Deny from all /LocationMatch FilesMatch \.sql$ Order allow,deny Deny from all /FilesMatch LocationMatch /includes/(classes|functions|gui|pear)/ Order allow,deny Deny from all /LocationMatch FilesMatch \.(inc|class)\.php$ Order allow,deny Deny from all /FilesMatch -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php