Skip to content
Snippets Groups Projects
Commit 168c314d authored by Alex Pott's avatar Alex Pott
Browse files

Issue #1587270 by klausi, greggles, sun: Forbid execution of PHP files in... 

Issue #1587270 by klausi, greggles, sun: Forbid execution of PHP files in subfolders by default (except those needed by core).
parent ec9e2b5f
No related branches found
No related tags found
2 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10
Hide whitespace changes
Inline Side-by-side
Showing
with 14 additions and 11 deletions
.htaccess
+ 14
11
View file @ 168c314d
......@@ -126,17 +126,20 @@ DirectoryIndex index.php index.html index.htm
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
# If this is a production site you may want to forbid access to PHP files in
# subfolders for security reasons. If you need to directly execute PHP files
# in a module or want to run another PHP application somewhere in your
# docroot tree you might want to modify this. Uncomment the following two
# lines to only allow PHP files in the webroot and in "/core":
# RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
# RewriteRule "^.+/.*\.php$" - [F]
# Example for allowing just one PHP file of statistics module:
# RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
# RewriteCond %{REQUEST_URI} !^/core/modules/statistics/statistics.php$
# RewriteRule "^.+/.*\.php$" - [F]
# For security reasons, deny access to other PHP files on public sites.
# Note: The following URI conditions are not anchored at the start (^),
# because Drupal may be located in a subdirectory. To further improve
# security, you can replace '!/' with '!^/'.
# Allow access to PHP files in /core (like update.php or install.php):
RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
# Allow access to test-specific PHP files:
RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php$
# Allow access to Statistics module's custom front controller.
# Copy and adapt this rule to directly execute PHP files in contributed or
# custom modules or to run another PHP application in the same directory.
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
# Deny access to any other PHP files that do not match the rules above.
RewriteRule "^.+/.*\.php$" - [F]
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment