Prevent PHP from parsing non-PHP files such as someFile.php.txt

那年仲夏 提交于 2021-02-04 17:37:07

问题


I just installed phpdocumentor, but received strange errors. I finally tracked down the problem.

Phpdocumentor creates various files such as someFile.php.txt which contains PHP code, but aren't meant to be parsed. Turns out, my server is parsing them. I've also tested a file name called someFile.txt, and it isn't being parsed.

How do I prevent my PHP server from parsing files such as someFile.php.txt?

My server is PHP Version 5.4.20, Apache 2.2.15, and CentOS 6.4. My /etc/httpd/conf.d/php.conf file is as follows:

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
  LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
  LoadModule php5_module modules/libphp5-zts.so
</IfModule>

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

回答1:


It turns out that the default settings of CentOS Apache actually allow this and it is a known vulnerability. In order to fix it, you will need to edit your Apache config settings. Your PHP settings are typically in /etc/httpd/conf.d/php.conf. The default looks like this

AddHandler php5-script .php
AddType text/html .php

We need to change it to

#AddHandler php5-script .php
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>
AddType text/html .php

Restart Apache and that should be the end of parsing any file with an extension after .php

Now, that $ is very important because this is using regex and within regex a $ means "end of string". So that means the file has to END with .php (i.e. no .php.txt) to be parsed by PHP.




回答2:


I'm having the same problem on CentOS 6.5, and I needed to fix this in a virtual environment where I don't have access to php.conf.

I used the following in a .htaccess file.

# Match anything that ends with .php.txt
<FilesMatch \.php\.txt$>
    RemoveHandler .php
    ForceType text/plain
</FilesMatch>

I don't allow uploads by users, so I'm not worried about any security implications. I just wanted to get the .php.txt extension working. This did the trick.



来源:https://stackoverflow.com/questions/20533279/prevent-php-from-parsing-non-php-files-such-as-somefile-php-txt

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!