RE: Deny processing of non included files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok i have actually discovered a great side-effect that i thought i'd share
with any interested by using these .htaccess directives.
As i only have two index.php files on the site and they are the only two
files accesible through browser i have done this:

<Files *.*>
Order Deny,Allow
Deny from All
</Files>
<Files index.php>
	Order Deny,Allow
	Allow from All
</Files>
<Files *.css>
	Order Deny,Allow
	Allow from All
</Files> 

Now the great side affect i told you about is that you cannot blind check
the presence of *.php files in any directory any you file you look for
regardless if it exists returns a 403 forbidden, so it is impossible to find
the structure of the site... 

You can though test for directories.

These directives along with a site that uses index.php as an engine to
generate content via includes, are great for really restricing site access
(of course this does not mean my includes don't have holes but thats another
issue) on top of a regular authentication. And makes it easier for my own
authentication system as i only have to authenticate through one file
index.php thus not needing any authentication on any of the included files
as suggested, and not needing to worry about that "test.php" file that got
forgotten during dev or something, or even a user uploading a $.php file i
dont want him to execute..

Thanks guys,

Regards,

Tim

> -----Message d'origine-----
> De : Jon Anderson [mailto:jon@xxxxxxxxxxxxxxxxxx] 
> Envoyé : jeudi 15 février 2007 17:11
> À : Tim
> Cc : 'php-general'
> Objet : Re:  Deny processing of non included files
> 
> Easy answer: deny access to them. Use your web server to 
> prevent execution of the files. Generally, if you're using 
> Apache, you can just do this:
> 
> <Directory /path/to/modules/>
>     Order Allow,Deny
>     Deny From All
> </Directory>
> 
> You may also be able to do that from a .htaccess file.
> 
> If you can't configure the server, just use a define at the 
> top of your index script:
> 
> define('__INDEX_PHP',TRUE);
> 
> Then just check it with a one-liner at the top of each script 
> that is for inclusion only.
> 
> Tim wrote:
> > 1. My included files "assume" the top file has initiated an 
> instance 
> > of an certain object thus being able to use the resources of the 
> > instanced objects in the top file..(obviously i have the necessary 
> > checks to make sure the instance has been created before 
> including the 
> > file) -Should i be initializing new instances of the object 
> at the top 
> > of each included file to prevent errors from appearing 
> incase someone 
> > access the file directly? Or should i believe it doesn't 
> really matter 
> > as in a production environment display_errors is set to off so no 
> > error output will be shown...
> >   
> I don't think you ever want include files to be executed in 
> the wrong context. Just deny access.
> 
> If anything, just make an index.php page in each module dir 
> that contains only "Thanks for visiting this page, but the 
> link you followed is probably mistyped. Try <a 
> href=\"$document_root\">this</a> instead."
> > 2. what is the assesed security risk if someone access a 
> file directly 
> > even if it does not output anything?
> >   
> Depends on what the file contains. If it contains this: 
> "`sudo rm -r $directory/*`", then the results could be 
> disastrous, but let's hope that it wouldn't contain code like 
> that. :-)
> > 3. is their a way to check that a file has been included by 
> such and 
> > such file or should i develop a hash system where the top page that 
> > includes files generates a hash, stores it in the db for 
> the length of 
> > the script and in a variable, and have the included file check that 
> > the variable from the top file and the hash in the db correspond?
> See above "define(...)" bit, which is really based on the old C header
> trick:
> 
> #ifndef __SOME_FILE_H
> #define __SOME_FILE_H
> 
> <a bunch of stuff>
> 
> #endif
> 
> jon
> 
> --
> PHP General Mailing List (http://www.php.net/) To 
> unsubscribe, visit: http://www.php.net/unsub.php
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux