> -----Original Message----- > From: Robert Cummings [mailto:robert@xxxxxxxxxxxxx] > Sent: Thursday, April 01, 2010 7:23 PM > To: Daevid Vincent > Cc: php-general@xxxxxxxxxxxxx > Subject: Re: Apache rule/directive to stop serving PHP > pages from /var/www/includes/ > > Daevid Vincent wrote: > > (Sorry if this is a duplicate. I sent one earlier with > "OT:" prefixing the > > subject line and I think this list software kills the > message despite being > > proper netiquette. *sigh*) > > > > I have your basic web tree setup. > > > > developer@mypse:/var/www/dart2$ tree -d -I 'CVS' > > |-- UPDATES > > |-- ajax > > |-- images > > | |-- gui > > | `-- icons > > `-- includes > > |-- classes > > |-- css > > |-- functions > > | `-- xml > > |-- gui > > |-- js > > | |-- charts > > `-- pear > > |-- Auth > > |-- Benchmark > > |-- DB > > |-- Date > > |-- File > > |-- Spreadsheet > > `-- XML_RPC > > > > It's not ideal. I would normally have /includes/ in a > directory outside the > > servable webroot directory, but for various reasons I won't > go into, this > > is how it is. > > > > Now I have Apache configured to NOT allow directory browsing. > > > > I also have a index.html file in most all main directories > to log attempts > > and also redirect back to the main site. > > > > What I don't know how to protect against is if someone were > to KNOW the > > name of a .php file. Say I have /includes/foo.inc.php for > example, someone > > can put that in their URL and apache will happily serve it up. :( > > > > Is there a directive to prevent this? > > > > I would think it should be doable since PHP reads the file > directly off of > > disk via a command like this and isn't really served perse: > > > > require_once ROOTPATH.'/includes/functions/foo.inc.php'; > > > > Anyone? Anyone? Beuller? Beuller? > > <LocationMatch "^/includes/"> > > Order allow,deny > Deny from all > > </LocationMatch> Brilliant! Thanks Rob. Here is the final that I went with (turns out I had to mind the /includes/js directory or all my jQuery stuff STB, so that's why I call each directory out like that): developer@myvm:/etc/apache2/sites-enabled$ tail -n20 000-default # [dv] added 2010-04-01 to prevent serving include files and such <LocationMatch "/UPDATES/"> Order allow,deny Deny from all </LocationMatch> <FilesMatch "\.sql$"> Order allow,deny Deny from all </FilesMatch> <LocationMatch "/includes/(classes|functions|gui|pear)/"> Order allow,deny Deny from all </LocationMatch> <FilesMatch "\.(inc|class)\.php$"> Order allow,deny Deny from all </FilesMatch> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
