-Original Message-
From: Robert Cummings [mailto:rob...@interjinn.com]
Sent: Thursday, April 01, 2010 7:23 PM
To: Daevid Vincent
Cc: php-general@lists.php.net
Subject: Re: [PHP] Apache rule/directive to stop serving PHP
pages from /var/www/includes/
Daevid Vincent wrote:
(Sorry if this is a duplicate. I sent one earlier with
OT: prefixing the
subject line and I think this list software kills the
message despite being
proper netiquette. *sigh*)
I have your basic web tree setup.
develo...@mypse:/var/www/dart2$ tree -d -I 'CVS'
|-- UPDATES
|-- ajax
|-- images
| |-- gui
| `-- icons
`-- includes
|-- classes
|-- css
|-- functions
| `-- xml
|-- gui
|-- js
| |-- charts
`-- pear
|-- Auth
|-- Benchmark
|-- DB
|-- Date
|-- File
|-- Spreadsheet
`-- XML_RPC
It's not ideal. I would normally have /includes/ in a
directory outside the
servable webroot directory, but for various reasons I won't
go into, this
is how it is.
Now I have Apache configured to NOT allow directory browsing.
I also have a index.html file in most all main directories
to log attempts
and also redirect back to the main site.
What I don't know how to protect against is if someone were
to KNOW the
name of a .php file. Say I have /includes/foo.inc.php for
example, someone
can put that in their URL and apache will happily serve it up. :(
Is there a directive to prevent this?
I would think it should be doable since PHP reads the file
directly off of
disk via a command like this and isn't really served perse:
require_once ROOTPATH.'/includes/functions/foo.inc.php';
Anyone? Anyone? Beuller? Beuller?
LocationMatch ^/includes/
Order allow,deny
Deny from all
/LocationMatch
Brilliant! Thanks Rob.
Here is the final that I went with (turns out I had to mind the
/includes/js directory or all my jQuery stuff STB, so that's why I call
each directory out like that):
develo...@myvm:/etc/apache2/sites-enabled$ tail -n20 000-default
# [dv] added 2010-04-01 to prevent serving include files and such
LocationMatch /UPDATES/
Order allow,deny
Deny from all
/LocationMatch
FilesMatch \.sql$
Order allow,deny
Deny from all
/FilesMatch
LocationMatch /includes/(classes|functions|gui|pear)/
Order allow,deny
Deny from all
/LocationMatch
FilesMatch \.(inc|class)\.php$
Order allow,deny
Deny from all
/FilesMatch
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php