if I have /faq.php on the server it can also be accessed via /faq.php/nonexistant.gif why? I have made sure MultiViews are disabled. Why does the contents of /faq.php get shown when I access the URI /faq.php/randomstuff.gif? FYI, I have no htaccess file in the same directory.
/nonexistant.gif will be HTTP "PATH_INFO": http://www.ietf.org/rfc/rfc3875, section 4.1.5
Basically, the webserver will scan "down" a url until it hits an actual file. Anything after that file in the url becomes PATH_INFO.
http://example.com/some/path/leading/to/realfile.php/extra/stuff/that/becomes/path/info
^^^^^^^^^^^^^^^^^^^^--- real directories
^^^^^^^^^^^^--actual file, scanning stops here
^^-----onwards = path_info
That is called path_info. You can disable it using AcceptPathInfo Off in the apache config. People generally use it as a fake mod rewrite when mod rewrite is not availalble.
http://httpd.apache.org/docs/2.2/mod/core.html#acceptpathinfo
Related
Let's take a proper URL to a php-Page like:
https://secure.php.net/ChangeLog-7.php
If we now add a trailing slash and some random garbage like this:
https://secure.php.net/ChangeLog-7.php/nonexistentfolder/anotherfile.html
the URL still works. In my opinion, it should have generated a 404-Error because "nonexistentfolder" is a folder not existing on the remote server as well as "anotherfile.html" is a non existent file.
This seems to happen generally, independent from webserver or rewrite-rules, so it seems to have its source in the PHP-Webserver-Module.
I do understand, what PATH_INFO is, but i do not understand, why calling such a URL does not generate a 404 response which would be the case if the existing file in the URL would be .html (and not .php).
How do people deal with this i.e. to avoid such bogus links making their way to search engines or alike?
Thanks!
According to the Apache Documentation, the Setting for AcceptPathInfo depends on the Handler used to answer the request. Handlers to answer requests for .html and .php files are different and it seems the default of the handler for .php is to accept PATH_INFO.
If you want the webserver to reply with a 404-Status, when the url is pointing to an invalid file/folder but includes a valid .php file at the beginning of the url, you can do so by adding the following i.e. to a .htaccess-file:
<Files ~ "\.php$">
AcceptPathInfo Off
</Files>
Problem: Suppose a URL is requesting a file that doesn't exist, e.g. mydomain.com/index.php/bogus
There is no folder named 'bogus' so I expect a '404 not found' response, but instead Apache sends the request to /index.php (which does exist). Why? How do I change it to respond '404 not found'?
I suppose that, in theory, Apache does this to let me generate a custom index page for the folder 'bogus' (which however does not exist). But in practice, by returning a page with 200 response, it is causing confusion to search engines and accidental visitors. My PHP code in 'index.php' is not expecting this URL and so it generates broken links in its dynamic navigation routines.
I've tried to disable indexes (Option -Indexes) and directory indexing (DirectoryIndex disabled) and removed .htaccess (AllowOverride None). None of these changed the response. I've searched stackoverflow and it has plenty of "how to serve a file instead of 404" but this is the opposite: I want Apache to return 404 instead of serving a PHP file from higher up in the file system.
My server environment is Windows Server 2008, Apache 2.2.22, and PHP 5.3. No mod_rewrite.
The solution that works is to add AcceptPathInfo Off to the Apache config file.
This directive controls whether requests that contain trailing pathname information that follows an actual filename (or non-existent file in an existing directory) will be accepted or rejected. The trailing pathname information can be made available to scripts through the CGI (common gateway interface) specifications.
When AcceptPathInfo is 'Off', the CGI parsing will keep the URL as one long string and look for a file in your filesystem to match.
When AcceptPathInfo is 'On', the CGI will separates the URL into a script name PLUS the following characters are information made available to the script.
The Apache core docs have more info: http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo
You don't have a folder named index.php, you have a file with that name. I think apache finds the file and decides it's found what was requested, so it serves the file.
In your index.php file, you can check that $_SERVER['REQUEST_URI'] is a valid request for index.php. If it isn't a valid request, you can use the PHP http_response_code(404) or header() functions to make your index.php return 404 for invalid URLs.
In my Localhost:
Without using .htaccess, I created a folder named test and a file test.php.
I can run the file from url http://localhost/test/test
In my amazon server with cpanel:
I put the same folder with that file but displays internal server error after checking the url http://example.com/test/test
I tried:
Changing the Allowoverride None to All
enabling mod rewrite
This is actually for a large project. But using a test in this case.
It is possible to rewrite URLs without an htaccess file. That's because you can also use rewrite rules in the Apache configuration files. In a VirtualHost block for example. I guess your localhost is set up that way, so take a look in those server config files.
For your amazon server to work, you either can work with an htaccess file (easiest way) or you can put those rules in the server config files.
I just updated my Ubuntu outdated development server, and it broke down some configuration.
Now apache/php does not properly handle urls like index.php/profile, but will handle correctly just index.php.
Basically if there some path after index.php, then it will return 404 error:
The requested URL /index.php/profile was not found on this server.
What configuration option is likely to fix this problem? I need to fix this urgently. Thanks in advance!
Check the setting of AcceptPathInfo:
This directive controls whether requests that contain trailing pathname information that follows an actual filename (or non-existent file in an existing directory) will be accepted or rejected. The trailing pathname information can be made available to scripts in the PATH_INFO environment variable.
For example, assume the location /test/ points to a directory that contains only the single file here.html. Then requests for /test/here.html/more and /test/nothere.html/more both collect /more as PATH_INFO.
I have a problem trying to hide .php extension from the url
I have been asked to hide it and because they are on a shared host i don't think i have access to .htacess so is there another way to hide it through a php function that i would call everytime an anchor is being selected?
Is this truly about hiding .php or is it more about having cleaner URLs?
If you truly can't access .htaccess (i.e. your host has this turned off via AllowOverride None) and assuming you also can't have your Apache conf settings updated for your VHost, the best you can do may be
http://example.com/page.php/my/clean/url
By default, Apache will send this URL to page.php even with everything else after it. This is the most common way of creating "cleaner" URLs without access to mod_rewrite.
.htaccess is what you would have access to on a shared server, as opposed to httpd.conf, which you wouldn't.
Put a .htaccess file in your document root with the following
FAIL
If your site stops loading, then you can use .htaccess :)
Of course, ^ that is a joke.