Daevid Vincent wrote:
(Sorry if this is a duplicate. I sent one earlier with "OT:" prefixing the
subject line and I think this list software kills the message despite being
proper netiquette. *sigh*)

I have your basic web tree setup.
develo...@mypse:/var/www/dart2$ tree -d -I 'CVS'
|-- ajax
|-- images
|   |-- gui
|   `-- icons
`-- includes
    |-- classes
    |-- css
    |-- functions
    |   `-- xml
    |-- gui
    |-- js
    |   |-- charts
    `-- pear
        |-- Auth
        |-- Benchmark
        |-- DB
        |-- Date
        |-- File
        |-- Spreadsheet
        `-- XML_RPC
It's not ideal. I would normally have /includes/ in a directory outside the
servable webroot directory, but for various reasons I won't go into, this
is how it is.

Now I have Apache configured to NOT allow directory browsing.

I also have a index.html file in most all main directories to log attempts
and also redirect back to the main site.

What I don't know how to protect against is if someone were to KNOW the
name of a .php file. Say I have /includes/foo.inc.php for example, someone
can put that in their URL and apache will happily serve it up. :(

Is there a directive to prevent this?

I would think it should be doable since PHP reads the file directly off of
disk via a command like this and isn't really served perse:

require_once ROOTPATH.'/includes/functions/foo.inc.php';

Anyone? Anyone? Beuller? Beuller?

<LocationMatch "^/includes/">

    Order allow,deny
    Deny from all


Application and Templating Framework for PHP

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to