防止PHP解析非PHP文件,例如someFile.php.txt [英] Prevent PHP from parsing non-PHP files such as someFile.php.txt
问题描述
我刚刚安装了phpdocumentor,但是收到了奇怪的错误.我终于找到了问题所在.
I just installed phpdocumentor, but received strange errors. I finally tracked down the problem.
Phpdocumentor创建各种文件,例如someFile.php.txt,其中包含PHP代码,但并不意味着要对其进行解析.原来,我的服务器正在解析它们.我还测试了一个名为someFile.txt的文件名,并且没有对其进行解析.
Phpdocumentor creates various files such as someFile.php.txt which contains PHP code, but aren't meant to be parsed. Turns out, my server is parsing them. I've also tested a file name called someFile.txt, and it isn't being parsed.
如何防止我的PHP服务器解析诸如someFile.php.txt之类的文件?
How do I prevent my PHP server from parsing files such as someFile.php.txt?
我的服务器是PHP 5.4.20,Apache 2.2.15和CentOS 6.4.我的/etc/httpd/conf.d/php.conf
文件如下:
My server is PHP Version 5.4.20, Apache 2.2.15, and CentOS 6.4. My /etc/httpd/conf.d/php.conf
file is as follows:
#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
LoadModule php5_module modules/libphp5-zts.so
</IfModule>
#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php
#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php
#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps
推荐答案
事实证明,CentOS Apache的默认设置实际上允许这样做,并且它是
It turns out that the default settings of CentOS Apache actually allow this and it is a known vulnerability. In order to fix it, you will need to edit your Apache config settings. Your PHP settings are typically in /etc/httpd/conf.d/php.conf
. The default looks like this
AddHandler php5-script .php
AddType text/html .php
我们需要将其更改为
#AddHandler php5-script .php
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
AddType text/html .php
重新启动Apache,这应该是解析任何在 .php
Restart Apache and that should be the end of parsing any file with an extension after .php
现在, $
非常重要,因为它使用的是 regex
,在 regex
中, $
表示字符串结尾".因此,这意味着文件必须以 .php
(即没有 .php.txt
)结束,才能被PHP解析.
Now, that $
is very important because this is using regex
and within regex
a $
means "end of string". So that means the file has to END with .php
(i.e. no .php.txt
) to be parsed by PHP.
这篇关于防止PHP解析非PHP文件,例如someFile.php.txt的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!