防止PHP解析非PHP文件，例如someFile.php.txt [英] Prevent PHP from parsing non-PHP files such as someFile.php.txt

问题描述

我刚刚安装了phpdocumentor，但是收到了奇怪的错误.我终于找到了问题所在.

I just installed phpdocumentor, but received strange errors. I finally tracked down the problem.

Phpdocumentor创建各种文件，例如someFile.php.txt，其中包含PHP代码，但并不意味着要对其进行解析.原来，我的服务器正在解析它们.我还测试了一个名为someFile.txt的文件名，并且没有对其进行解析.

Phpdocumentor creates various files such as someFile.php.txt which contains PHP code, but aren't meant to be parsed. Turns out, my server is parsing them. I've also tested a file name called someFile.txt, and it isn't being parsed.

如何防止我的PHP服务器解析诸如someFile.php.txt之类的文件?

How do I prevent my PHP server from parsing files such as someFile.php.txt?

我的服务器是PHP 5.4.20，Apache 2.2.15和CentOS 6.4.我的/etc/httpd/conf.d/php.conf 文件如下:

My server is PHP Version 5.4.20, Apache 2.2.15, and CentOS 6.4. My /etc/httpd/conf.d/php.conf file is as follows:

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#
<IfModule prefork.c>
  LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
  LoadModule php5_module modules/libphp5-zts.so
</IfModule>

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

推荐答案

事实证明，CentOS Apache的默认设置实际上允许这样做，并且它是

It turns out that the default settings of CentOS Apache actually allow this and it is a known vulnerability. In order to fix it, you will need to edit your Apache config settings. Your PHP settings are typically in /etc/httpd/conf.d/php.conf. The default looks like this

AddHandler php5-script .php
AddType text/html .php

我们需要将其更改为

#AddHandler php5-script .php
<FilesMatch \.php$>
    SetHandler application/x-httpd-php
</FilesMatch>
AddType text/html .php

重新启动Apache，这应该是解析任何在 .php

Restart Apache and that should be the end of parsing any file with an extension after .php

现在， $ 非常重要，因为它使用的是 regex ，在 regex 中， $ 表示字符串结尾".因此，这意味着文件必须以 .php (即没有 .php.txt )结束，才能被PHP解析.

Now, that $ is very important because this is using regex and within regex a $ means "end of string". So that means the file has to END with .php (i.e. no .php.txt) to be parsed by PHP.

这篇关于防止PHP解析非PHP文件，例如someFile.php.txt的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！