From bc44cbda919c744f96443a154817bc0168c8598e Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Thu, 3 Oct 2013 12:23:10 +0100
Subject: [PATCH] Issue #1587270 by klausi: Added comment in .htaccess
 describing how to forbid execution of PHP files in subfolders.

---
 .htaccess | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.htaccess b/.htaccess
index 45abcc7997fc..ce89e172cec4 100644
--- a/.htaccess
+++ b/.htaccess
@@ -122,6 +122,18 @@ DirectoryIndex index.php index.html index.htm
   RewriteCond %{REQUEST_URI} !=/favicon.ico
   RewriteRule ^ index.php [L]
 
+  # If this is a production site you may want to forbid access to PHP files in
+  # subfolders for security reasons. If you need to directly execute PHP files
+  # in a module or want to run another PHP application somewhere in your
+  # docroot tree you might want to modify this. Uncomment the following two
+  # lines to only allow PHP files in the webroot and in "/core":
+  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
+  # RewriteRule "^.+/.*\.php$" - [F]
+  # Example for allowing just one PHP file of statistics module:
+  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
+  # RewriteCond %{REQUEST_URI} !^/core/modules/statistics/statistics.php$
+  # RewriteRule "^.+/.*\.php$" - [F]
+
   # Rules to correctly serve gzip compressed CSS and JS files.
   # Requires both mod_rewrite and mod_headers to be enabled.
   <IfModule mod_headers.c>
-- 
GitLab