Issue #1587270 by klausi: Added comment in .htaccess describing how to forbid execution of PHP files in subfolders.

2013-10-03 12:23:10 +01:00 · 2013-10-03 12:23:10 +01:00 · bc44cbda91
parent cd9ec6ded2
commit bc44cbda91
1 changed files with 12 additions and 0 deletions
--- a/.htaccess
+++ b/.htaccess
@ -122,6 +122,18 @@ DirectoryIndex index.php index.html index.htm
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^ index.php [L]

+  # If this is a production site you may want to forbid access to PHP files in
+  # subfolders for security reasons. If you need to directly execute PHP files
+  # in a module or want to run another PHP application somewhere in your
+  # docroot tree you might want to modify this. Uncomment the following two
+  # lines to only allow PHP files in the webroot and in "/core":
+  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
+  # RewriteRule "^.+/.*\.php$" - [F]
+  # Example for allowing just one PHP file of statistics module:
+  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
+  # RewriteCond %{REQUEST_URI} !^/core/modules/statistics/statistics.php$
+  # RewriteRule "^.+/.*\.php$" - [F]
+
  # Rules to correctly serve gzip compressed CSS and JS files.
  # Requires both mod_rewrite and mod_headers to be enabled.
  <IfModule mod_headers.c>