protect your CSS files, and possibly other extenstions as well...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I recently discovered a php method to hide text-based files from remote
users while allowing access to your internal pages and scripts. You can
take advantage of this technique as well to protect your artistic rights:

There are two variants: one for php scriptss and their included counterparts
and another for 'stand-alone' files that are refered to within your own html
-- such as *.css and *.js that can be link'd or src'd via html tags

--------------------------------------
PHP SCRIPTs:
master pages: (index.php, gallery.php, ...)
<?php
   // this is placed before any other includes
   define('SOME_CONSTANT','secret_string');
?>

included pages: (header.php, menu.php, ...)
<?php
   // this is placed before any other includes
   require_once('include_path/check_constant.inc');
?>

'include_path/check_constant.inc':
<?php
/*
* PHP Internal Inclusion Verification v1.0
* Author: Tim Maynard, aka: Kit DeKat (kitdekat) (c)09-MAY-2005
* E-mail: kitdekat@xxxxxxxxxxxx
*/
$const = get_defined_constants();
if( !isset($const["SOME_CONSTANT"]) ||
($const["SOME_CONSTANT"] != 'secret_string') )
{
header('Status: 404 Not Found');
header('HTTP/1.1 404 Not Found');
// the following is my path to the standard Apache2 error documents which
// i feel that the standard docs are the best to hide that fact that the
// file was ever there, versus a custom error implying you're covering it
readfile('http://'.$_SERVER["SERVER_NAME"].'/error/HTTP_NOT_FOUND.html.var');
exit();
}
?>


--------------------------------------
This should hide all the includes, configs, etc.. files that you have lying around.
I should hope that you already have the following somewhere in your http.conf
file to protect from direct-remote downloads -- this snippet will protect against
files ending in '.inc' and '.inc.php', modify to suit your site:


<Files ~ "\.inc(\.php)?$">
   Order allow,deny
   Deny from all
   Satisfy All
</Files>

--------------------------------------
CSS and JS files:

First, you will need to tell php to parse these files, which can be done again by
editing your httpd.conf files to add the extensions desired to the php list:


AddType application/x-httpd-php .php .phtml .php3 .css .js

You will take a performance hit for adding the parser to more pages, but
I think its worth the gain in security and your general sanity and well-being.
now that php is parsing these files, add the following to the top of each:


<?php
/*
* PHP Internal Inclusion Verification v1.0
* Author: Tim Maynard, aka: Kit DeKat (kitdekat) (c)09-MAY-2005
* E-mail: kitdekat@xxxxxxxxxxxx
*/
if( !isset( $_SERVER["HTTP_REFERER"]) ||
!strpos($_SERVER["HTTP_REFERER"],$_SERVER["SERVER_NAME"]) )
{
header('Status: 404 Not Found');
header('HTTP/1.1 404 Not Found');
readfile('http://'.$_SERVER["SERVER_NAME"].'/error/HTTP_NOT_FOUND.html.var');
exit();
}
?>


This is very similar code to the php-scripts, but the change is that it is not looking for
the constant anymore (since that doesn't exist once the page is in hte browser), but
makes sure that the server calling the file is itself and not a remote call from an address bar.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux