1

I'm new with Symfony and I'm working on a test project to improve my knowledge. Actually I'm learning Routing and what I'm trying to do is to deny access if a file with .disabled extension is requested. I'm talking about files placed in web directory. So, for example, file located at web/config.php.disabled cannot be executed/downloaded.

Then I created a route like this

/**
 * @Route("{req}disabled", name="denyAccess", requirements={"req"=".+"})
 */
public function denyAccessAction(Request $request, $req)
{
    return new Response('Access denied');
}

and is working fine when I request a file that doesn't exist (e.g. http://my.website/file.php.disabled). But when I request an existing file, the route doesn't work and I can download that file without problems. So I guess requesting an existing file placed in web directory will override any route.

How can I make my route have higher priority than a requested file in web directory?

DrKey
  • 3,365
  • 2
  • 29
  • 46

2 Answers2

2

This is a Web server configuration problem. In a basic Symfony Web configuration, in order to serve the files contained in your web/ directory, your Web server does not call PHP nor Symfony. Your Symfony application is only the fallback if the file is not found for the given URL.

Now the question is: what are you using as a Web proxy ? Nginx, Apache, HAProxy ?

If you are using Nginx, you should have something like this in your configuration:

location / {
    try_files $uri /app_dev.php$is_args$args;
}

location ~ ^/app_dev\.php(/|$) {
    fastcgi_pass unix:/var/run/php/phpX.X-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;
}

In the first block, try_files makes exactly what I told you: First it will try to return the file associated to the given $url, then if it's not found, it falls back to app_dev.php with the same routing parameters. It is then caught by the second block, which forwards the request to PHP.

So, for your particular use case, I suggest you add a block to deny users that would request a file with ".disabled". In Nginx, this is done easily:

location ~ \.disabled/?$ {
    return 403;
}

For other Web server technologies, just check the docs to know how to do this.

Terenoth
  • 2,458
  • 1
  • 14
  • 21
1

web/ is a resource folder and Symfony does not have control over this one through Routing System (unless the URI does not exist).

If you have trying to deny access to config.php it is already done inside him:

if (!isset($_SERVER['HTTP_HOST'])) {
    exit('This script cannot be run from the CLI. Run it from a browser.');
}

if (!in_array(@$_SERVER['REMOTE_ADDR'], array(
    '127.0.0.1',
    '::1',
))) {
    header('HTTP/1.0 403 Forbidden');
    exit('This script is only accessible from localhost.');
}

So, you can access from localhost only (development environment), but from external host, this deny access.

On the other hand, you can deny access to others files by using the Web Server configuration:

Community
  • 1
  • 1
yceruto
  • 9,230
  • 5
  • 38
  • 65