I know that the AddHandler directive allows you to associate a file extension with a a process.
Is it possible to associate a single file with a process?
For example, I would like to process something.css go run a PHP script to generate some CSS dynamically.
From what I have read so far, it might be possible using something like:
<Files something.css>
# go off to PHP script
</Files>
… but I don’t know what to do next.
OK, here’s how I got it working:
# .htaccess
<Files something.css>
RewriteEngine On
RewriteRule ^(.+)$ /styles/something.php [QSA,L]
</Files>
This goes directly into the /styles/ directory, since you can’t specify directories in the Files directive.
Related
i want to deliver epub-file via online-shop.
is .htaccess + mod_rewrite the right way to manage the permission for epub-files (epub-shop)?
# .htaccess in epub-folder
# sends every file to "download.php"
RewriteEngine On
RewriteRule \.php$ - [L]
RewriteRule (.*) download.php?file=$1
download.php manage the licence part. is there any hack/trick to get the files without the licence? Directly via deeplink?
thanks for help!
You usually do access control via the directives in mod_authz_host. This document outlines how you can do this.
If you have access to the main configuration file of Apache (httpd.conf or something alike), I would recommend adding a directory section to it. Afterwards you need to restart your Apache.
<Directory /a/b/c/epub/>
Order Deny,Allow
Deny from all
</Directory>
Order tells in which order directives are processed. Deny from all denies direct access from everyone.
Otherwise, you can add a .htaccess in the epub directory, then add the same 2 directives to it without the directory block.
I recently played with a .htaccess file to make one server to parse PHP files. Yesterday I uploaded the same .htaccess file and tried to test a PHP file. But something went wrong: visiting my page the browser offers to download the the html page rather then viewing the page!
On the server the filenames end in .html.
I added the following to my .htaccess file:
AddType application/x-httpd-php .html
I tried to find the htaccess file, but once uploaded it just disappears from the root dir.
I tried to upload other scripts I've found browsing. I even tried to search for some problem on a hosting forum. Nothing helped.
Please help!
Try this
AddType application/x-httpd-php .php .htm .html
OR
AddHandler application/x-httpd-php .php .htm .html
And remove other overriding handlers for application/x-httpd-php after above code.
Right, firstly things first, what host do you use?
Also what ftp client you are using? Some by default won't display files starting with . such as .htaccess and .htpasswd, that's why it may appear that you didn't upload it. Also it might be that you don't have the rights to upload in the very root directory, try to go one directory up.
Also from my experience, hosts won't allow you to modify headers via .htaccess this way, because the allowoverride directive is off; instead have a look at url rewrites (via mod_rewrite), which allow you to do the same thing without modifying headers.
Your rewrite .htaccess file might look something like:
RewriteEngine On
RewriteBase /
RewriteRule ^(\w+)\.html$ $1.php [NC]
(Not tested though)
Using a rewrite will also mean that your files will in fact maintain the php extension, however they will be access via urls that include .html extension.
So, ok. I have many php files and one index.php file. All files can't work without index.php file, because I include them in index.php. For example. if somebody click Contact us the URL will become smth like index.php?id=contact and I use $_GET['id'] to include contacts.php file. But, if somebody find the file's path, for example /system/files/contacts.php I don't want that that file would be executed. So, I figured out that I can add before including any files in index.php line like this $check_hacker = 1 and use if in every files beginning like this if($check_hacker <> 1) die();. So, how can I do it without opening all files and adding this line to each of them? Is it possible? Because I actually have many .php files. And maybe there is other way to do disable watching separate file? Any ideas? Thank you.
You could put your index.php alone in your web directory. And put all the files it includes in another non web directory.
Let's say you website http://www.example.com/index.php is in fact /path/to/your/home/www/index.php, you can put contact.php in /path/to/your/home/includes/contact.php. No .htaccess, rewrite, auto appending. Just a good file structure and a server configured like needed.
Edit to detail my comment about using xamp :
In your httpd.conf file, add something like this :
<Directory "/path/to/your/site/root">
Options Indexes FollowSymLinks
AllowOverride all
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
<VirtualHost *:80>
DocumentRoot /path/to/your/site/root
ServerName www.example.org
</VirtualHost>
Then in your windows hosts file (in C:\Windows\System32\drivers\etc), add this line :
127.0.0.1 www.example.com
I would highly recommend to use the .htaccess file to rejects all requests for files diffrent to index.php but I am not quite sure how to do that propperly.
This might work (can't test it now) but it will also block requests to css, js and so on:
order deny,allow
<FilesMatch "\.php">
deny from all
</FilesMatch>
<FilesMatch "(index.php)">
allow from all
</FilesMatch>
If someone knows the right solution, please edit my answer.
You might check this question: Deny direct access to all .php files except index.php
So you might have a FilesMatch only for php files in addition to the index.php rule.
EDIT: The new version of the code seems to work.
In response to Kau-Boy:
Place all your php files (except index.php) in a new directory and put the .htaccess file with the following contents:
deny from all
Make sure you don't put any images/css/jscript resources in this directory, because they will be blocked as well.
I'd use mod_rewrite in this case (if you are using Apache). It's much cleaner solution than writing gazillions of useless ifs in PHP.
This way, if someone wanted to "hack it" and tried /system/files/contacts.php, it'd redirect them to index.php?id=contact or whatever other site.
In your php.ini or in you htaccess set the following variable:
auto_prepend_file="[path to some .php file]"
This will include a header file of your choice that will be included before all php scripts on the system.
The php.ini directive auto_append_file, will create a footer that is included at the end of all PHP files on the system.
Check out the technique at http://www.electrictoolbox.com/php-automatically-append-prepend/
RewriteCond %{REQUEST_URI} system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
Will redirect any attempt to system folder back to root!
I am trying to do the following in my web application:
<img src="static.example.com/image01.jpg?width=300&height=300" />
Is it possible to have my server (I use Apache in a shared hosting environment) run a PHP script when accessing a .jpg (or any filetype that I chose) instead of just serving the file?
I know that the PHP script has to set the right headers etc, I'm just wondering how it can be run in the first place.
I know this can be done as so :
<img src="static.example.com/get_image.php?name=image_01.jpg&width=300&height=300" />
but that's not how I would like to have it.
You could use mod_rewrite provided you are in a subdirectory, or that is all your other static.example.com will be doing.
Add something like this to your .htaccess in that subdirectory.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{query_string} ^height=([^&]+)&width=([^&]+)
RewriteRule (.*\.jpg|.*\.png|.*\.gif) controller.php?name=$1&height=%1&width=%2
</IfModule>
EDIT: Try the above. Like everything else, untested... :)
The order of the GET parameters becomes important.
test.jpg?height=100&width=120
should get turned into
controller.php?name=test.jpg&height=100&width=120
Another approach would be to make apache serve .jpg as php scripts for that directory.
Just look in your httpd.conf or php.conf and look for .php. Find that directive, and duplicate it within a <Directory> for .jpg.
I've never actually tried this for a single directory, but ultimately it would be faster than the mod_rewrite route.
Something like:
<Files *.jpg>
SetOutputFilter PHP
SetInputFilter PHP
</Files>
AddType application/x-httpd-php .jpg
I'm making a website which allows people to upload files, html pages, etc... Now I'm having a problem. I have a directory structure like this:
-/USERS
-/DEMO1
-/DEMO2
-/DEMO3
-/etc... (every user has his own direcory here)
-index.php
-control_panel.php
-.htaccess
Now I want to disable PHP, but enable Server-side includes in the direcories and subdirectories inside /USERS
Can this be done (and if so, how)?
I use WAMP server
Try to disable the engine option in your .htaccess file:
php_flag engine off
To disable all access to sub dirs (safest) use:
<Directory full-path-to/USERS>
Order Deny,Allow
Deny from All
</Directory>
If you want to block only PHP files from being served directly, then do:
1 - Make sure you know what file extensions the server recognizes as PHP (and dont' allow people to override in htaccess). One of my servers is set to:
# Example of existing recognized extenstions:
AddType application/x-httpd-php .php .phtml .php3
2 - Based on the extensions add a Regular Expression to FilesMatch (or LocationMatch)
<Directory full-path-to/USERS>
<FilesMatch "(?i)\.(php|php3?|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>
Or use Location to match php files (I prefer the above files approach)
<LocationMatch "/USERS/.*(?i)\.(php3?|phtml)$">
Order Deny,Allow
Deny from All
</LocationMatch>
If you're using mod_php, you could put (either in a .htaccess in /USERS or in your httpd.conf for the USERS directory)
RemoveHandler .php
or
RemoveType .php
(depending on whether PHP is enabled using AddHandler or AddType)
PHP files run from another directory will be still able to include files in /USERS (assuming that there is no open_basedir restriction), because this does not go through Apache. If a php file is accessed using apache it will be serverd as plain text.
Edit
Lance Rushing's solution of just denying access to the files is probably better
<Directory /your/directorypath/>
php_admin_value engine Off
</Directory>
This will display the source code instead of executing it:
<VirtualHost *>
ServerName sourcecode.testserver.me
DocumentRoot /var/www/example
AddType text/plain php
</VirtualHost>
I used it once to enable other co-worker to have read access to the source code from the local network (just a quick and dirty alternative).
WARNING !:
As Dan pointed it out sometime ago, this method should never be used in production. Please follow the accepted answer as it blocks any attempt to execute or display php files.
If you want users to share php files (and let others to display the source code), there are better ways to do it, like git, wiki, etc.
This method should be avoided! (you have been warned. Left it here for educational purposes)
None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.
But this worked for me :
RewriteRule ^.*\.php$ - [F,L]
This line will generate a 403 Forbidden error for any URL that ends with .php and ends up in this subdirectory.
#Oussama lead me to the right direction here, thanks to him.
If you use php-fpm, the php_admin_value will NOT work and gives an Internal Server Error.
Instead use this in your .htaccess. It disables the parser in that folder and all subfolders:
<FilesMatch ".+\.*$">
SetHandler !
</FilesMatch>
This might be overkill - but be careful doing anything which relies on the extension of PHP files being .php - what if someone comes along later and adds handlers for .php4 or even .html so they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.
On production I prefer to redirect the requests to .php files under the directories where PHP processing should be disabled to a home page or to 404 page. This won't reveal any source code (why search engines should index uploaded malicious code?) and will look more friendly for visitors and even for evil hackers trying to exploit the stuff.
Also it can be implemented in mostly in any context - vhost or .htaccess.
Something like this:
<DirectoryMatch "^${docroot}/(image|cache|upload)/">
<FilesMatch "\.php$">
# use one of the redirections
#RedirectMatch temp "(.*)" "http://${servername}/404/"
RedirectMatch temp "(.*)" "http://${servername}"
</FilesMatch>
</DirectoryMatch>
Adjust the directives as you need.
I use in Centos 6.10 for multiple folders in virtual host .conf definitioin file:
<DirectoryMatch ^/var/www/mysite/htdocs/(nophpexecutefolder1|nophpexecutefolder2)>
php_admin_value engine Off
</DirectoryMatch>
However, even though it doesn't parse php code the usual way it still outputs from a .php things such as variable declarations and text when doing echo e.g.
<?php
echo "<strong>PHP CODE EXECUTED!!";
$a=1;
$b=2;
echo $a+$b;
The above produces in web browser?
PHP CODE EXECUTED!!"; $a=1; $b=2; echo $a+$b;
This could potentially expose some code to users which isn't ideal.
Therefore, it's probably best to use the above in combination with the following in .htaccess:
<FilesMatch ".*.(php|php3|php4|php5|php6|php7|php8|phps|pl|py|pyc|pyo|jsp|asp|htm|html|shtml|phtml|sh|cgi)$">
Order Deny,Allow
Deny from all
#IPs to allow access to the above extensions in current folder
# Allow from XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/32
</FilesMatch>
The above will prevent access to any of the above file extensions but will allow other extensions such as images, css etc. to be accessed the usual way. The error when accessing .php:
Forbidden
You don't have permission to access /nophpexecutefolder1/somefile.php on this server.
<Files *.php>
Order deny,Allow
Deny from all
</Files>