It was suggested that a malfunctioning web server could send unprocessed .php files to the client; potentially exposing sensitive code. Could an Apache file directive prevent sending .php
files unless they were processed?
The Apache Files directive could prevent an extension completely, but that would prevent all PHP scripts.
For example, this Files directive (untested) matches files ending in .inc
, denying requests for these files.
<Files ~ "\.(inc)$">
Order allow,deny
Deny from all
Satisfy All
</Files>
What if something similar was placed inside a test for a module?
<IfModule !mod_php4.c>
<Files ~ "\.(php)$">
Order allow,deny
Deny from all
Satisfy All
</Files>
</IfModule>
I am thinking that a failed PHP module could be tested and .php
files could be conditionally blocked with the above htaccess
instructions.
Should the server deny all PHP files if the module crashed and burned on startup? Could a solution similar to this be put into effect if the module crashed and burned after startup?