0

Problem: Suppose a URL is requesting a file that doesn't exist, e.g. mydomain.com/index.php/bogus

There is no folder named 'bogus' so I expect a '404 not found' response, but instead Apache sends the request to /index.php (which does exist). Why? How do I change it to respond '404 not found'?

I suppose that, in theory, Apache does this to let me generate a custom index page for the folder 'bogus' (which however does not exist). But in practice, by returning a page with 200 response, it is causing confusion to search engines and accidental visitors. My PHP code in 'index.php' is not expecting this URL and so it generates broken links in its dynamic navigation routines.

I've tried to disable indexes (Option -Indexes) and directory indexing (DirectoryIndex disabled) and removed .htaccess (AllowOverride None). None of these changed the response. I've searched stackoverflow and it has plenty of "how to serve a file instead of 404" but this is the opposite: I want Apache to return 404 instead of serving a PHP file from higher up in the file system.

My server environment is Windows Server 2008, Apache 2.2.22, and PHP 5.3. No mod_rewrite.

Barry Hansen
  • 11
  • 4
  • Possible duplicate of [What exactly is PATH\_INFO in PHP?](https://stackoverflow.com/questions/2261951/what-exactly-is-path-info-in-php) – iainn Dec 12 '17 at 12:31

2 Answers2

1

The solution that works is to add AcceptPathInfo Off to the Apache config file. This directive controls whether requests that contain trailing pathname information that follows an actual filename (or non-existent file in an existing directory) will be accepted or rejected. The trailing pathname information can be made available to scripts through the CGI (common gateway interface) specifications.

  • When AcceptPathInfo is 'Off', the CGI parsing will keep the URL as one long string and look for a file in your filesystem to match.
  • When AcceptPathInfo is 'On', the CGI will separates the URL into a script name PLUS the following characters are information made available to the script.

The Apache core docs have more info: http://httpd.apache.org/docs/2.0/mod/core.html#acceptpathinfo

Barry Hansen
  • 11
  • 4
0

You don't have a folder named index.php, you have a file with that name. I think apache finds the file and decides it's found what was requested, so it serves the file.

In your index.php file, you can check that $_SERVER['REQUEST_URI'] is a valid request for index.php. If it isn't a valid request, you can use the PHP http_response_code(404) or header() functions to make your index.php return 404 for invalid URLs.

ImprobabilityCast
  • 454
  • 6
  • 12
  • Thanks, and that is correct. I do have a home page named 'index.php' and not a folder. I'm trying to figure out why it runs in this scenario instead of Apache returning 404 on its own. – Barry Hansen Dec 11 '17 at 22:58
  • I'm not sure why it doesn't return 404 on its own either. IIS 10 does the same for me, so maybe it's intended behavior. You might try asking at https://serverfault.com/ – ImprobabilityCast Dec 11 '17 at 23:08
  • Apparently this behavior is intended for historical reasons. There is useful background on PATH_INFO at https://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm – Barry Hansen Dec 12 '17 at 00:47