Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to check in .htaccess if PHP is enabled?

Tags:

php

apache

.htaccess

How can I let Apache's .htaccess file check if PHP is enabled? I tried things like <IfModule !mod_php7.0.c> and <IfModule !mod_php7.c> but it doesn not seem to do anything when I enable/disable the module.

I would like to have a fallback in my .htaccess that denies acces from all when PHP is disabled. In order to prevent leakage of plain text PHP code.

I want to do something like this:

# If PHP is not installed, deny all access to .php files to prevent PHP code leakage
<IfModule !mod_php7.c>
    <FilesMatch \.php$>
        order deny,allow
        deny from all
    </FilesMatch>
</IfModule>

Ultimately it will check something like if php7 AND php5 AND php4 are disabled, deny access. Any ideas?

Also, when AllowOverride is None and so the .htaccess file is not doing anything. What are the options in order to prevent the PHP code from leaking in plaintext?

like image 436
Bob Ortiz Avatar asked Sep 12 '16 12:09

Bob Ortiz

2 Answers

<IfModule !mod_php5.c>
    <FilesMatch ".+\.php$">
        Order Deny,Allow
        Deny from all
    </FilesMatch>
</IfModule>

In Apache 2.4

<IfModule !mod_php5.c>
    <FilesMatch ".+\.php$">
        Require all denied
    </FilesMatch>
</IfModule>

In Apache 2.4 there are several new useful features: define, ifdefine, and if, else, ifelse.

In the following we can deny by default and only enable if PHP_IS_ENABLED is defined.

<IfModule mod_php5.c>
    Define PHP_IS_ENABLED
</IfModule>

<IfModule mod_php7.c>
    Define PHP_IS_ENABLED
</IfModule>

# php8
<IfModule mod_php.c>
    Define PHP_IS_ENABLED
</IfModule>

# ...

<IfDefine !PHP_IS_ENABLED>
    <FilesMatch ".+\.php$">
        Require all denied
    </FilesMatch>
</IfDefine>
like image 130
Gerard Roche Avatar answered Oct 10 '22 05:10

Gerard Roche

Here is a solution to check against multiple versions of PHP (e.g. "if php 5 OR php 7 is enabled") that indeed works in .htaccess.

It requires Apache 2.4 with mod_env module (99% it is enabled on your host).

<IfModule mod_php5.c>
    SetEnv PHP_IS_ENABLED yes
</IfModule>

<IfModule mod_php7.c>
    SetEnv PHP_IS_ENABLED yes
</IfModule>

<If "reqenv('PHP_IS_ENABLED') == 'yes' || reqenv('REDIRECT_PHP_IS_ENABLED') == 'yes'">
    ... your directives
</If>

REDIRECT_PHP_IS_ENABLED is required to make this work for requests internally redirected with mod_rewrite.

like image 37
cronfy Avatar answered Oct 10 '22 06:10

cronfy
Sign in to Comment

Related questions

Does Laravel close automatically the DB connections?
how to run php unit multiple times and concatenate the coverage report?
Doctrine2 query builder does not quote the string
Output raw HTML from Laravel
How to customize default data-confirm dialog box in Yii2 Gridview
Dropzone.js inside another PHP form
What macros are available for php config.m4 files?
Database not configured laravel during migration
Load an HTML file directly from public folder as View in Laravel
How to send parameters to queues?
How to check/fix image rotation before upload image using PHP
How to solve SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data in ajax and php
How can I convert HTML to markdown?
use IFNULL in laravel
Laravel 5.0, migration: how to make integer not a primary key?
Make HTTP/2 request with PHP
phpunit - Help needed about risky tests
Datatables + PHP: Server-Side Processing on Multiple Tables
What does double colon in laravel means
CakePHP 3 REST API + CORS Request and OPTIONS method

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!