ansaurus

Question

Disable PHP in directory (including all sub-directories) with .htaccess

Answer 1

A:

If you're using mod_php, you could put (either in a .htaccess in /USERS or in your httpd.conf for the USERS directory)

RemoveHandler .php

or

RemoveType .php

(depending on whether PHP is enabled using AddHandler or AddType)

PHP files run from another directory will be still able to include files in /USERS (assuming that there is no open_basedir restriction), because this does not go through Apache. If a php file is accessed using apache it will be serverd as plain text.

Edit

Lance Rushing's solution of just denying access to the files is probably better

Tom Haigh 2009-08-13 13:25:07

I use mod_php, but this does not work, sorry.

Time Machine 2009-08-13 13:27:09

Answer 2

+1 A:

To disable all access to sub dirs (safest) use:

<Directory full-path-to/USERS>
     Order Deny,Allow
     Deny from All
 </Directory>

If you want to block only PHP files from being served directly, then do:

1 - Make sure you know what file extensions the server recognizes as PHP (and dont' allow people to override in htaccess). One of my servers is set to:

# Example of existing recognized extenstions:
AddType application/x-httpd-php .php .phtml .php3

2 - Based on the extensions add a Regular Expression to FilesMatch (or LocationMatch)

 <Directory full-path-to/USERS>
     <FilesMatch "\.(php3?|phtml)$">  
         Order Deny,Allow
         Deny from All
     </FilesMatch>
 </Directory>

Or use Location to match php files (I prefer the above files approach)

<LocationMatch "/USERS/.*\.(php3?|phtml)$">
     Order Deny,Allow
     Deny from All
</LocationMatch>

Lance Rushing 2009-08-13 13:30:24

Answer 3

+1 A:

This might be overkill - but be careful doing anything which relies on the extension of PHP files being .php - what if someone comes along later and adds handlers for .php4 or even .html so they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.

Dominic Rodger 2009-08-13 13:36:26

People cannot edit or upload .htaccess files. Offcourse

Time Machine 2009-08-13 14:37:43

@Nevermind - I'm not talking about your users. I'm talking about you, or some other sys-admin 2 years down the line.

Dominic Rodger 2009-08-13 14:51:51

Answer 4

+5 A:

Try to disable the engine option in your .htaccess file:

php_flag engine off

Gumbo 2009-08-13 13:46:37

What happens when someone browses to file in the web browser? Does the source code show?

Lance Rushing 2009-08-13 15:48:15

@Lance Rushing: The file’s content will be send to the client. But why don’t you just try it yourself to see what happens?

Gumbo 2009-08-13 16:10:54

@Lance: This really doesn't matter. Trust me, I really do tell the user he can't use PHP =P

Time Machine 2010-03-22 15:12:52

Answer 5

A:

This will display the source code instead of executing it:

<VirtualHost *>
    ServerName sourcecode.testserver.me
    DocumentRoot /var/www/example
    AddType text/plain php
</VirtualHost>

I used it to enable other co-workers to have read access to the source code (just a quick alternative).

lepe 2009-12-14 02:24:47

ansaurus

tags:

views:

answers:

Disable PHP in directory (including all sub-directories) with .htaccess

related questions