[SOLVED] Disable php everywhere except /index.php

Guttorm · 11-24-2017, 09:43 AM

Hello

We have a Laravel project, and a question came up - can we make the public or htdocs folder writable for PHP scripts (www-data)? It's usually denied, but in this project, it would be nice if PHP could write .html and .js files in the public folder. Then those files don't have to go thru the the regular PHP/Laravel routes and will be cached by the browser.

So I thought it could be ok, except I would like to disable PHP execution everywhere except to the root - /index.php. There could be a bug somewhere, and if someone managed to put .php files in the public folder, the server will execute it. So I made this Apache rule:

Code:

<FilesMatch "!(^index\.php$)">
    php_flag engine off
</FilesMatch>

It worked. The project still works (/ or /index.php is executed) and other php files are not. But, when there are subdirectories like /foo or /foo/index.php the php is still executed.

I looked at DirectoryMatch and LocationMatch, but couldn't figure out a rule like that. Any ideas how to solve this?

bathory · 11-24-2017, 04:13 PM

Hi,

You can use the If directive line this:

Code:

<If "%{REQUEST_URI} !~ m#^/index.php#">
    php_flag engine off
</If>

Using this code, client is prompted to open/save the php file(s) that don't match the condition above.
I personally don't like this approach. I would use mod_rewrite to redirect/forbid visiting any .php file except /index.php

Regards

Guttorm · 11-27-2017, 02:22 AM

Thank you.

I already have some mod_rewrite rules installed by Laravel. But it seems it doesn't redirect if the files exist. Just adding your rule worked, and so does the Laravel project.