By alchemist on

I just realized that any user can view most of the PHP code on our system. For example, if the user points his browser to http://www.ourdomain.com/includes/menu.inc, they see the PHP source code. Did I install something improperly?

Regards,
Kory

Categories: Drupal 4.6.x

Comments

kuprishuz’s picture

kuprishuz commented

Thats because the server does not recognize the extension it is displaying it as a text file, you could use .htaccess to deny it, i personally feel the drupal team should have put .php on the end of every file such as menu.inc.php , but thats just my opinion

dww’s picture

dww
we/he/they
commented

ever since drupal 4.6.0, the .htaccess file that comes with drupal does this automatically:

# Protect files and directories from prying eyes.
<Files ~ "(\.(inc|module|pl|sh|sql|theme|engine|xtmpl)|Entries|Repositories|Root|scripts|updates)$">
  Order deny,allow
  Deny from all
</Files>

as you can see, anything that ends in .inc, .module, .theme, etc, is being denied. if this isn't working on your site, chances are good you just didn't install the .htaccess file properly. if you keep your drupal source in one directory and use symlinks from the directory apache is serving, it's easy to forget .htaccess, since it won't get linked with something like "ln -s ../drupal/* ."

___________________
3281d Consulting

alchemist’s picture

alchemist commented

The .htaccess is in my drupal's root directory and it contains the exact statement that is in your reply. AccessFileName is also set to .htaccess in my httpd.conf file.

Kory

styro’s picture

styro commented

If your .htaccess file is being ignored, you'll probably need to configure the AllowOverride directive - eg 'AllowOverride All' in the relevant directory or virtual host container.

Apache ignores .htaccess files by default.

--
Anton

alchemist’s picture

alchemist commented

Anton,

Thank you. Adding "AllowOveride All" fixed the problem.

Regards,
Kory