Why do URLs to PHP-Pages no not yield a 404 when nonsense is appended to the URL

Question

Let's take a proper URL to a php-Page like: https://secure.php.net/ChangeLog-7.php

If we now add a trailing slash and some random garbage like this: https://secure.php.net/ChangeLog-7.php/nonexistentfolder/anotherfile.html the URL still works. In my opinion, it should have generated a 404-Error because "nonexistentfolder" is a folder not existing on the remote server as well as "anotherfile.html" is a non existent file.

This seems to happen generally, independent from webserver or rewrite-rules, so it seems to have its source in the PHP-Webserver-Module.

I do understand, what PATH_INFO is, but i do not understand, why calling such a URL does not generate a 404 response which would be the case if the existing file in the URL would be .html (and not .php).

How do people deal with this i.e. to avoid such bogus links making their way to search engines or alike?

Thanks!

Answer 1

According to the Apache Documentation, the Setting for AcceptPathInfo depends on the Handler used to answer the request. Handlers to answer requests for .html and .php files are different and it seems the default of the handler for .php is to accept PATH_INFO.

If you want the webserver to reply with a 404-Status, when the url is pointing to an invalid file/folder but includes a valid .php file at the beginning of the url, you can do so by adding the following i.e. to a .htaccess-file:

<Files ~ "\.php$">
AcceptPathInfo Off
</Files>