subject:"Re\: \[PHP\] Apache rule\/directive to stop serving PHP pages from \/var\/www\/includes\/"

Re: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/

2010-04-01 Thread Robert Cummings


Daevid Vincent wrote:

(Sorry if this is a duplicate. I sent one earlier with OT: prefixing the
subject line and I think this list software kills the message despite being
proper netiquette. *sigh*)

I have your basic web tree setup.
 
develo...@mypse:/var/www/dart2$ tree -d -I 'CVS'

|-- UPDATES
|-- ajax
|-- images
|   |-- gui
|   `-- icons
`-- includes
|-- classes
|-- css
|-- functions
|   `-- xml
|-- gui
|-- js
|   |-- charts
`-- pear
|-- Auth
|-- Benchmark
|-- DB
|-- Date
|-- File
|-- Spreadsheet
`-- XML_RPC
 
It's not ideal. I would normally have /includes/ in a directory outside the

servable webroot directory, but for various reasons I won't go into, this
is how it is.

Now I have Apache configured to NOT allow directory browsing.

I also have a index.html file in most all main directories to log attempts
and also redirect back to the main site.

What I don't know how to protect against is if someone were to KNOW the
name of a .php file. Say I have /includes/foo.inc.php for example, someone
can put that in their URL and apache will happily serve it up. :(

Is there a directive to prevent this?

I would think it should be doable since PHP reads the file directly off of
disk via a command like this and isn't really served perse:

require_once ROOTPATH.'/includes/functions/foo.inc.php';

Anyone? Anyone? Beuller? Beuller?


LocationMatch ^/includes/

Order allow,deny
Deny from all

/LocationMatch

Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/ [SOLVED]

2010-04-01 Thread Daevid Vincent

 -Original Message-
 From: Robert Cummings [mailto:rob...@interjinn.com] 
 Sent: Thursday, April 01, 2010 7:23 PM
 To: Daevid Vincent
 Cc: php-general@lists.php.net
 Subject: Re: [PHP] Apache rule/directive to stop serving PHP 
 pages from /var/www/includes/

 Daevid Vincent wrote:
  (Sorry if this is a duplicate. I sent one earlier with 
 OT: prefixing the
  subject line and I think this list software kills the 
 message despite being
  proper netiquette. *sigh*)

  I have your basic web tree setup.

  develo...@mypse:/var/www/dart2$ tree -d -I 'CVS'
  |-- UPDATES
  |-- ajax
  |-- images
  |   |-- gui
  |   `-- icons
  `-- includes
  |-- classes
  |-- css
  |-- functions
  |   `-- xml
  |-- gui
  |-- js
  |   |-- charts
  `-- pear
  |-- Auth
  |-- Benchmark
  |-- DB
  |-- Date
  |-- File
  |-- Spreadsheet
  `-- XML_RPC

  It's not ideal. I would normally have /includes/ in a 
 directory outside the
  servable webroot directory, but for various reasons I won't 
 go into, this
  is how it is.

  Now I have Apache configured to NOT allow directory browsing.

  I also have a index.html file in most all main directories 
 to log attempts
  and also redirect back to the main site.

  What I don't know how to protect against is if someone were 
 to KNOW the
  name of a .php file. Say I have /includes/foo.inc.php for 
 example, someone
  can put that in their URL and apache will happily serve it up. :(

  Is there a directive to prevent this?

  I would think it should be doable since PHP reads the file 
 directly off of
  disk via a command like this and isn't really served perse:

  require_once ROOTPATH.'/includes/functions/foo.inc.php';

  Anyone? Anyone? Beuller? Beuller?

 LocationMatch ^/includes/

  Order allow,deny
  Deny from all

 /LocationMatch

Brilliant! Thanks Rob.

Here is the final that I went with (turns out I had to mind the
/includes/js directory or all my jQuery stuff STB, so that's why I call
each directory out like that):

develo...@myvm:/etc/apache2/sites-enabled$ tail -n20 000-default

# [dv] added 2010-04-01 to prevent serving include files and such
LocationMatch /UPDATES/
Order allow,deny
Deny from all
/LocationMatch
FilesMatch \.sql$
Order allow,deny
Deny from all
/FilesMatch
LocationMatch /includes/(classes|functions|gui|pear)/
Order allow,deny
Deny from all
/LocationMatch
FilesMatch \.(inc|class)\.php$
Order allow,deny
Deny from all
/FilesMatch

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/

RE: [PHP] Apache rule/directive to stop serving PHP pages from /var/www/includes/ [SOLVED]

2 matches

Site Navigation

Mail list logo

Footer information