问题
I just installed phpdocumentor, but received strange errors. I finally tracked down the problem.
Phpdocumentor creates various files such as someFile.php.txt which contains PHP code, but aren't meant to be parsed. Turns out, my server is parsing them. I've also tested a file name called someFile.txt, and it isn't being parsed.
How do I prevent my PHP server from parsing files such as someFile.php.txt?
My server is PHP Version 5.4.20, Apache 2.2.15, and CentOS 6.4. My /etc/httpd/conf.d/php.conf
file is as follows:
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
LoadModule php5_module modules/libphp5-zts.so
</IfModule>
#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps
回答1:
It turns out that the default settings of CentOS Apache actually allow this and it is a known vulnerability. In order to fix it, you will need to edit your Apache config settings. Your PHP settings are typically in /etc/httpd/conf.d/php.conf
. The default looks like this
AddHandler php5-script .php
AddType text/html .php
We need to change it to
#AddHandler php5-script .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
AddType text/html .php
Restart Apache and that should be the end of parsing any file with an extension after .php
Now, that $
is very important because this is using regex
and within regex
a $
means "end of string". So that means the file has to END with .php
(i.e. no .php.txt
) to be parsed by PHP.
回答2:
I'm having the same problem on CentOS 6.5, and I needed to fix this in a virtual environment where I don't have access to php.conf
.
I used the following in a .htaccess
file.
# Match anything that ends with .php.txt
<FilesMatch \.php\.txt$>
RemoveHandler .php
ForceType text/plain
</FilesMatch>
I don't allow uploads by users, so I'm not worried about any security implications. I just wanted to get the .php.txt
extension working. This did the trick.
来源:https://stackoverflow.com/questions/20533279/prevent-php-from-parsing-non-php-files-such-as-somefile-php-txt