使用 .htaccess 在目录(包括所有子目录)中禁用 PHP
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1271899/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Disable PHP in directory (including all sub-directories) with .htaccess
提问by Gumbo
I'm making a website which allows people to upload files, html pages, etc... Now I'm having a problem. I have a directory structure like this:
我正在制作一个允许人们上传文件、html 页面等的网站...现在我遇到了问题。我有一个这样的目录结构:
-/USERS
-/DEMO1
-/DEMO2
-/DEMO3
-/etc... (every user has his own direcory here)
-index.php
-control_panel.php
-.htaccess
Now I want to disable PHP, but enable Server-side includes in the direcories and subdirectories inside /USERS
现在我想禁用 PHP,但在 /USERS 中的目录和子目录中启用服务器端包含
Can this be done (and how :) )? Thanks in advance.
这可以做到(以及如何:))?提前致谢。
BTW, I use WAMP server
顺便说一句,我使用 WAMP 服务器
回答by Gumbo
Try to disable the engineoptionin your .htaccess file:
尝试禁用.htaccess 文件中的engine选项:
php_flag engine off
回答by Lance Rushing
To disable all access to sub dirs (safest) use:
要禁用对子目录的所有访问(最安全),请使用:
<Directory full-path-to/USERS>
Order Deny,Allow
Deny from All
</Directory>
If you want to block only PHP files from being served directly, then do:
如果您只想阻止直接提供 PHP 文件,请执行以下操作:
1 - Make sure you know what file extensions the server recognizes as PHP (and dont' allow people to override in htaccess). One of my servers is set to:
1 - 确保您知道服务器将哪些文件扩展名识别为 PHP(并且不允许人们在 htaccess 中覆盖)。我的一台服务器设置为:
# Example of existing recognized extenstions:
AddType application/x-httpd-php .php .phtml .php3
2 - Based on the extensions add a Regular Expression to FilesMatch (or LocationMatch)
2 - 基于扩展名向 FilesMatch(或 LocationMatch)添加正则表达式
<Directory full-path-to/USERS>
<FilesMatch "(?i)\.(php|php3?|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>
Or use Locationto match php files (I prefer the above files approach)
或者使用Location来匹配 php 文件(我更喜欢上面的文件方法)
<LocationMatch "/USERS/.*(?i)\.(php3?|phtml)$">
Order Deny,Allow
Deny from All
</LocationMatch>
回答by Tom Haigh
If you're using mod_php, you could put (either in a .htaccess in /USERS or in your httpd.conf for the USERS directory)
如果您使用的是 mod_php,则可以放置(在 /USERS 中的 .htaccess 或 USERS 目录的 httpd.conf 中)
RemoveHandler .php
or
或者
RemoveType .php
(depending on whether PHP is enabled using AddHandler or AddType)
(取决于 PHP 是否使用 AddHandler 或 AddType 启用)
PHP files run from another directory will be still able to include files in /USERS (assuming that there is no open_basedir restriction), because this does not go through Apache. If a php file is accessed using apache it will be serverd as plain text.
从另一个目录运行的 PHP 文件仍然能够包含 /USERS 中的文件(假设没有 open_basedir 限制),因为这不会通过 Apache。如果使用 apache 访问 php 文件,它将以纯文本形式提供服务。
Edit
编辑
Lance Rushing's solution of just denying access to the files is probably better
Lance Rushing 拒绝访问文件的解决方案可能更好
回答by lepe
This will display the source code instead of executing it:
这将显示源代码而不是执行它:
<VirtualHost *>
ServerName sourcecode.testserver.me
DocumentRoot /var/www/example
AddType text/plain php
</VirtualHost>
I used it once to enable other co-worker to have read access to the source code from the local network (just a quick and dirty alternative).
我曾经使用过它让其他同事能够从本地网络读取源代码(只是一个快速而肮脏的替代方案)。
WARNING !:
警告 !:
As Dan pointed it out sometime ago, this method should never be used in production. Please follow the accepted answer as it blocks any attempt to execute or display php files.
正如 Dan 前段时间指出的那样,这种方法不应该在生产中使用。请遵循已接受的答案,因为它会阻止任何执行或显示 php 文件的尝试。
If you want users to share php files (and let others to display the source code), there are better ways to do it, like git, wiki, etc.
如果您希望用户共享 php 文件(并让其他人显示源代码),有更好的方法可以做到,例如 git、wiki 等。
This method should be avoided! (you have been warned. Left it here for educational purposes)
这种方法应该避免!(您已被警告。出于教育目的将其留在这里)
回答by Domus
<Directory /your/directorypath/>
php_admin_value engine Off
</Directory>
回答by Fabien Quatravaux
None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.
这些答案都不适合我(要么产生 500 错误,要么什么都不做)。这可能是因为我在无法访问 Apache 配置的托管服务器上工作。
But this worked for me :
但这对我有用:
RewriteRule ^.*\.php$ - [F,L]
RewriteRule ^.*\.php$ - [F,L]
This line will generate a 403 Forbidden error for any URL that ends with .phpand ends up in this subdirectory.
对于.php以该子目录结尾并以该子目录结尾的任何 URL,该行将生成 403 Forbidden 错误。
回答by Sergey Podushkin
On production I prefer to redirect the requests to .php files under the directories where PHP processing should be disabled to a home page or to 404 page. This won't reveal any source code (why search engines should index uploaded malicious code?) and will look more friendly for visitors and even for evil hackers trying to exploit the stuff. Also it can be implemented in mostly in any context - vhost or .htaccess. Something like this:
在生产中,我更喜欢将请求重定向到应禁用 PHP 处理的目录下的 .php 文件到主页或 404 页面。这不会泄露任何源代码(为什么搜索引擎应该索引上传的恶意代码?)并且对访问者甚至试图利用这些东西的邪恶黑客来说看起来更友好。它也可以在大多数情况下在任何上下文中实现 - vhost 或 .htaccess。像这样的东西:
<DirectoryMatch "^${docroot}/(image|cache|upload)/">
<FilesMatch "\.php$">
# use one of the redirections
#RedirectMatch temp "(.*)" "http://${servername}/404/"
RedirectMatch temp "(.*)" "http://${servername}"
</FilesMatch>
</DirectoryMatch>
Adjust the directives as you need.
根据需要调整指令。
回答by Dominic Rodger
This might be overkill - but be careful doing anything which relies on the extension of PHP files being .php- what if someone comes along later and adds handlers for .php4or even .htmlso they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.
这可能有点矫枉过正——但是在做任何依赖于 PHP 文件扩展的事情时要小心.php——如果有人稍后出现并为它们添加处理程序,.php4或者甚至.html因此它们由 PHP 处理,该怎么办。您最好从不同的 Apache 实例或其他仅提供静态内容的实例中提供这些目录中的文件。
