From: "Daevid Vincent" on 1 Apr 2010 22:59 > -----Original Message----- > From: Robert Cummings [mailto:robert(a)interjinn.com] > Sent: Thursday, April 01, 2010 7:23 PM > To: Daevid Vincent > Cc: php-general(a)lists.php.net > Subject: Re: [PHP] Apache rule/directive to stop serving PHP > pages from /var/www/includes/ > > Daevid Vincent wrote: > > (Sorry if this is a duplicate. I sent one earlier with > "OT:" prefixing the > > subject line and I think this list software kills the > message despite being > > proper netiquette. *sigh*) > > > > I have your basic web tree setup. > > > > developer(a)mypse:/var/www/dart2$ tree -d -I 'CVS' > > |-- UPDATES > > |-- ajax > > |-- images > > | |-- gui > > | `-- icons > > `-- includes > > |-- classes > > |-- css > > |-- functions > > | `-- xml > > |-- gui > > |-- js > > | |-- charts > > `-- pear > > |-- Auth > > |-- Benchmark > > |-- DB > > |-- Date > > |-- File > > |-- Spreadsheet > > `-- XML_RPC > > > > It's not ideal. I would normally have /includes/ in a > directory outside the > > servable webroot directory, but for various reasons I won't > go into, this > > is how it is. > > > > Now I have Apache configured to NOT allow directory browsing. > > > > I also have a index.html file in most all main directories > to log attempts > > and also redirect back to the main site. > > > > What I don't know how to protect against is if someone were > to KNOW the > > name of a .php file. Say I have /includes/foo.inc.php for > example, someone > > can put that in their URL and apache will happily serve it up. :( > > > > Is there a directive to prevent this? > > > > I would think it should be doable since PHP reads the file > directly off of > > disk via a command like this and isn't really served perse: > > > > require_once ROOTPATH.'/includes/functions/foo.inc.php'; > > > > Anyone? Anyone? Beuller? Beuller? > > <LocationMatch "^/includes/"> > > Order allow,deny > Deny from all > > </LocationMatch> Brilliant! Thanks Rob. Here is the final that I went with (turns out I had to mind the /includes/js directory or all my jQuery stuff STB, so that's why I call each directory out like that): developer(a)myvm:/etc/apache2/sites-enabled$ tail -n20 000-default # [dv] added 2010-04-01 to prevent serving include files and such <LocationMatch "/UPDATES/"> Order allow,deny Deny from all </LocationMatch> <FilesMatch "\.sql$"> Order allow,deny Deny from all </FilesMatch> <LocationMatch "/includes/(classes|functions|gui|pear)/"> Order allow,deny Deny from all </LocationMatch> <FilesMatch "\.(inc|class)\.php$"> Order allow,deny Deny from all </FilesMatch>
|
Pages: 1 Prev: Apache rule/directive to stop serving PHP pages from /var/www/includes/ Next: str_replace help |