0

In my Apache httpd.conf file, I have:

AddType application/x-httpd-php .php

However, when I create a file called "x.class.php" I can access this file directly via http://servername/x

I don't want to block access to these files. I just want to require either 1) the full filename to be used (x.class.php) or 2) at least the .class extension be used (x.class).

Why is the .class.php being processed like .php? And how can I stop this so that only .php files are processed without an extension?

Ryan Griggs
  • 2,457
  • 2
  • 35
  • 58
  • 4
    You told Apache to use PHP to process files which end in `.php` so why are you surprised that `x.class.php` ends with `.php`? – MonkeyZeus Apr 10 '18 at 15:05
  • 4
    The basics of security suggest that you should store PHP files which should not be executed via URL below the document root. – MonkeyZeus Apr 10 '18 at 15:07
  • 1
    If your host does not grant access below the document root then the other option is to create a folder named `classes`, store your classes in there, and add a `.htaccess` file to "deny from all" – MonkeyZeus Apr 10 '18 at 15:08
  • I'm not surprised, just don't know how to exclude these. I don't care if they are executed or not, I just don't want them to be executed when specified without extension. Any suggestions? – Ryan Griggs Apr 10 '18 at 15:11
  • Possible duplicate of [Block direct access to a file over http but allow php script access](https://stackoverflow.com/questions/2679524/block-direct-access-to-a-file-over-http-but-allow-php-script-access) – iainn Apr 10 '18 at 15:13
  • I don't care about blocking access. Just requiring the full filename to be used (including .class.php, or even just .class) before the file is executed. – Ryan Griggs Apr 10 '18 at 15:14

1 Answers1

1

Why is the .class.php being processed like .php?

This is a feature called MultiViews.

How to disable: https://serverfault.com/questions/264954/apache-multiviews-how-to-disable-it

And how can I stop this so that only .php files are processed without an extension?

Set up .htaccess allow/disallow rules.

Halcyon
  • 57,230
  • 10
  • 89
  • 128