Just very quick question about php.ini file. I created my own on my php.ini file and it works fine if I put it inside my 'public_html' directory. However the problem is it can obviously be viewed in browser through HTTP requests.
So, I am trying to move it outside my 'public_html' directory however it does not seem to work when outside my 'public_html'.
I know I could perhaps set in my .htaccess the following to avoid it being read:
<Files php.ini>
Order allow,deny
Deny from all
</Files>
However I do not want to do this as my php.ini can still get cached by Google if it's in the 'public_html' directory. Is there any suggestions to make it work outside my public_html?
I am running an Apache server. Thanks for any suggestions
You can use the PHPRC environment variable...see the documentation:
http://www.php.net/manual/en/configuration.file.php
It can't get cached by google if you block like that in .htaccess
Two suggestions:
Ensure that Apache can find your php.ini (PHPINIDIR /path/where/php.ini/is/located)
Ensure the file is readable by the webserver user.
How is it that you php.ini came to be in a web server accessible folder? It is the first time I hear of such a situation.
I thought hard on how you managed to do this, and the only answer I came up with is that you created a vhost in php folder. If that is the case, create another vhost out of the php.ini path, and remove the offending vhost. See this post for examples.
Related
I am creating a cloud storage project, and I want users to be able to upload any file. In particular, I want people to be able to upload .htaccess files, but I don't want Apache using these files as this is a security concern. How can I prevent Apache from using the user uploaded file, while still using my own .htaccess file in a parent folder?
This question is helpful reading. Directives near the www-root are applied first, subfolders are used later and may overwrite previous settings.
There are some things you can do:
Don't use .htaccess files at all, not even in other directories. If you have a dedicated server, you can edit the server config file, which is much more efficient. It will allow you to set AllowOverride None, which will prevent Apache from using .htaccess files at all. Instead, you can accomplish the same by putting your rules in the server config file. You'll need to restart Apache every time you make a change, and making an error in the server config file will prevent Apache from starting until it is fixed.
Store your files as random characters without an extension, make it impossible to access any files directly, and instead rely on a database to map a filename to a file. This allows you to store files securely, while not dumping everything in your database.
You cannot put anything in your .htaccess file that would prevent .htaccess files in subdirectories to be ignored, because AllowOverride only works in directory context, not in .htaccess context.
I have a file sharing website in the making where I am allowing the visual and function part of pages work. This runs into a problem when I want to allow server side scripting like php pages to be uploaded. This php (etc.) page could easily back link and delete files which I obviously would not want. I have changed the permissions many times to test but this also stops my php files from uploading and renaming files to these folders. I do want to allow these file types but im not sure what I can do.
I was thinking I could do this through .htaccess but I wouldn't know how.
Any suggestions?
I'm not sure, but it sounds like you want to allow arbitrary file uploads (including .PHP scripts) but to prevent any of them from being executed on the server side.
I would recommend creating a file storage directory that is not web-accessible (e.g. put it outside your www-root or use a .htaccess file to limit direct access). Then have your PHP scripts upload to that directory. Create a download script and have download access to those files go through that script, so that e.g. PHP files cannot be invoked remotely.
If I understand correctly from reading comments:
You want users to be able to upload any file. Including code. Including .php, .asp etc.
You want the users to be able to execute this code, but to limit the code to a "sandbox" environment.
Seems to me you should write your files to a specific location, which has its own document root/vhost (http://exec.domain.tld).
On that vhost you could set security, ie:
AllowOverride None # disable rewriting and such
php value disable_functions dl,exec,passthru,system,shell_exec,popen # disable functions
And to top it off (!important) set basedir restrictions to the vhosts document root
<Directory /srv/www/exec.domain.tld/docroot>
php_admin_value open_basedir /srv/www/exec.domain.tld/docroot
</Directory>
I haven't actually set up this environment, but I feel this is your best starting point. And I do think it'll work, if you fix the typo's/parameter name errors i might have made :)
I think it's not about permission, but php execution.
You can turn off php engine on a directory using .htaccess file, like this:
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
I have a processing file for my website's payments. It works just fine, but what I would like to do is log all the requests to this page so that if anything throws an error, the raw data is saved and I can process the transaction manually. The processing file uses fopen to write to the log file in another directory.
What I have right now is a separate folder on my root directory with permissions 755. Then a log file inside with permissions 777. The processing file that writes to the log file, in PHP if that matters, is set to 777.
This works right now, but the log file is publicly available. I know I can be doing this better and that the permissions aren't correct. How can I do this better?
Put the log file outside the document root. The PHP script that writes to it will still be able to get to it (via the full path) but Apache won't be able to serve it.
I came across this whilst searching the answer for myself. I don't believe there is a simple "permissions fix" to do what you want and perhaps the safest way is to put the log files outside of public_html directory.
However this can be a nuisance sometimes - especially if you are wanting to e.g. catch paypal ipn dump text in a log file, but not have it publicly accessible.
In such cases, you can use .htaccess file directives to allow write from script, but deny reading from public access.
For example, this works for me (Apache .htaccess in root public_html folder);
<FilesMatch "mycustom\.log">
Order allow,deny
Deny from all
</FilesMatch>
and if you have multiple logs you want to protect, use it like this, with "Pipe Separated";
<FilesMatch "mycustom\.log|ipn_errors\.log">
Order allow,deny
Deny from all
</FilesMatch>
It is worth noting that the above directives are deprecated as of apache 2.4 and you may wish to consider using more current directives instead: https://httpd.apache.org/docs/2.4/howto/access.html
Hope that helps you!
for example i have this url: http://localhost/miSite/uploads/ and by doing:
http://localhost/miSite/uploads/../includes/, this results in a directory (includes) linsting.
It'd be great if you could tell me a way to resolve this.
Directory Indexing
You can also use .htaccess to disable indexing, or Directory Browsing. By default, this option is turned on in the server's configuration files. To disable this, add this line to your .htaccess file:
Options -Indexes
The possibility of using relative references is not a real problem:
http://localhost/miSite/uploads/../includes/
resolves to
http://localhost/miSite/includes/
which can be addressed directly anyway. If you have sensitive files in there, you should move them outside the web root, or block the directory listing.
What would be a real problem is if the following would work:
http://localhost/../miSite/includes/
which would serve files outside the document root. But that will not happen with an up-to-date web server.
There's 3 things you can do, ranging from least secure to most secure.
Disable indexes as proposed by #Lizard
Make a rule in the htaccess file to deny access to folders people aren't allowed to access
Move the files that shouldn't be accessed outside of the DocumentRoot.
I have a simple PHP script that outputs a dir listing in XML format. I use it to let a flash slideshow know what files are available to show.
I've just added the flash to a website that's powered by Django and the PHP file is now served up as it is, not parsed.
It's in the directory with the images under my media directory.
The server I use runs plesk so I do my config for each domain in a vhost.conf file (which gets included into the main appache conf I think)
It looks like this:
WSGIScriptAlias / /var/www/vhosts/<domain>/conf/django.wsgi
Alias /media/ /var/www/vhosts/<domain>/httpdocs/media/
I thought this meant that requests for anything under / are passed django to handle.
Except when they are for /media/... then they are served by apache as normal from the specified dir.
That works for the images, but does not parse the PHP file.
What should I do?
Maybe read this thread, and port your PHP script to Python:
os.walk() python: xml representation of a directory structure, recursion
So it turns out the problem was two things, making it hard to find.
Thanks Ignacio Vazquez-Abrams, I had my lines the wrong way around.
Once that was solved, PHP would not serve my file because it was in a dir that was symlinked from outside the allowed path(s). I resolved this by turning off open_basedir restrictions for this vhost. My new vhost.conf is below.
<Directory /var/www/vhosts/<domain>/httpdocs>
php_admin_flag engine on
php_admin_value open_basedir none
</Directory>
Alias /media/ /var/www/vhosts/<domain>/httpdocs/media/
WSGIScriptAlias / /var/www/vhosts/<domain>/conf/django.wsgi
If you have not configured Apache so that it knows that .php files under the '/media' directory should be processed by PHP somehow, they will not be. So, the mod_wsgi configuration is fine, the problem is likely your PHP configuration.
How are you configuring PHP? Are you using mod_php, or PHP via fastcgi? How is Apache configured so that it knows to treat .php files as PHP and for what directories has that configuration been applied to?
The WSGIScriptAlias directive there swallows up URLs meant for Alias. Swap the order.