Skip to content
Snippets Groups Projects
Commit 168c314d authored by Alex Pott's avatar Alex Pott
Browse files

Issue #1587270 by klausi, greggles, sun: Forbid execution of PHP files in... 

Issue #1587270 by klausi, greggles, sun: Forbid execution of PHP files in subfolders by default (except those needed by core).
parent ec9e2b5f
No related branches found
No related tags found
2 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10
Hide whitespace changes
Inline Side-by-side
Showing
with 14 additions and 11 deletions
.htaccess
+ 14
11
View file @ 168c314d
...@@ -126,17 +126,20 @@ DirectoryIndex index.php index.html index.htm ...@@ -126,17 +126,20 @@ DirectoryIndex index.php index.html index.htm
RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L] RewriteRule ^ index.php [L]
# If this is a production site you may want to forbid access to PHP files in # For security reasons, deny access to other PHP files on public sites.
# subfolders for security reasons. If you need to directly execute PHP files # Note: The following URI conditions are not anchored at the start (^),
# in a module or want to run another PHP application somewhere in your # because Drupal may be located in a subdirectory. To further improve
# docroot tree you might want to modify this. Uncomment the following two # security, you can replace '!/' with '!^/'.
# lines to only allow PHP files in the webroot and in "/core": # Allow access to PHP files in /core (like update.php or install.php):
# RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$ RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
# RewriteRule "^.+/.*\.php$" - [F] # Allow access to test-specific PHP files:
# Example for allowing just one PHP file of statistics module: RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php$
# RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$ # Allow access to Statistics module's custom front controller.
# RewriteCond %{REQUEST_URI} !^/core/modules/statistics/statistics.php$ # Copy and adapt this rule to directly execute PHP files in contributed or
# RewriteRule "^.+/.*\.php$" - [F] # custom modules or to run another PHP application in the same directory.
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
# Deny access to any other PHP files that do not match the rules above.
RewriteRule "^.+/.*\.php$" - [F]
# Rules to correctly serve gzip compressed CSS and JS files. # Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled. # Requires both mod_rewrite and mod_headers to be enabled.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment