> On Jan 10, 2005, at 12:49 PM, Jason Morehouse wrote: > >> Hello. I'm not sure if this is an apache problem or php... but >> wondering if anyone has come across the same problem. >> >> -rw------- 1 root root test.html >> -rw------- 1 root root test.php >> >> Trying to access test.html via a browser servers up the apache 403 >> error page. The test.php however produces: >> >> Warning: Unknown: failed to open stream: Permission denied in Unknown >> on line 0 Warning: Unknown: Failed opening '/www/test.php' for >> inclusion (include_path='.:/www/php') in Unknown on line 0
Ahhhh! Now we see the question! Why doesn't it yield 403 like it "should" First and foremost, use php.ini or httpd.conf or .htaccess to *NOT* let PHP send error messages OF ANY KIND to the browser on a production site. [You could also use ini_set within a script if the file in question is to be include'd into other files.] You should do this anyway. Admittedly, your server still behaves not quite like you want, as *.html yields a 403 response, and *.php yields a 200 response, and a page of no content. But at least the Bad Guys don't see your server internals. I don't think there's any way you can configure Apache to pre-empt the PHP trying to read the file -- though I presume Apache *could* be altered to behave that way... Except it would be rather difficult for Apache to 'know' a priori what User PHP runs as, given suexec, CGI setups, etc... Depending on your application, you might be able to "wrap" all the access to files through a known good PHP file, and then use PHP error handling (http://php.net/set_error_handler) to determine if this error occurred, and then send a 403 header. Probably an Apache list would be better suited to knowing for sure any way around this... You could maybe tweak the PHP source to detect this condition and send 403 instead of trying to include() the file, which is what it seems to be doing. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
