Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By aryanto on
Other CMS' that I have tried, prevent direct access to any *.php files by providing a message saying something like "403 – Forbidden”. In Drupal 6.1, I got an empty white screen when I access any *.php files (other than index.php, update.php, *.tpl.php or *.inc.php). What I would like to have is, any direct request to *.php files other than index.php, *.tpl.php or *.inc.php, will be redirected to index.php. How could we do that? And is it worth doing it?
FYI, I am using lighttpd with mod_magnet for Clean URL. And the following is my url.access-deny setting:
url.access-deny = ( "~", ".inc", ".gz", ".log", ".tpl.php", ".inc.php", ".filter", ".engine", ".install", ".module", ".info", ".sh", ".theme" )
Comments
No Security Expert
I'm not a security expert at all, so I'm asking out of sheer curiosity, how does this make things more secure?
Rephrase - Better control in Drupal
Neither do I. I am very far for being called internet security expert. Maybe I better rephrase what I asked.
The usual practice that I always do when I open anything on my network to the internet, is to have all the controls as to what the internet users can and can not do. Because that is the least I can do, as I can not prevent any threats due to the security holes in my operating system and all other applications including in my firewall itself. The security hole always exists, until somebody exploit it or realise that it can be exploited.
No comment from Drupal Security Team?
I would really like to have comments on this, especially from Drupal Security Team. Even that would be something like: "No, it is not worth the efforts".
It would actually be more appreciated if someone could suggest me snipplets or hacks, even if I had to add those every time after I upgrade Drupal.
Thanks a lot in advance.