Closed (fixed)
Project:
Barracuda
Version:
6.x-2.x-dev
Component:
PHP-FPM Server
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
20 Oct 2013 at 22:01 UTC
Updated:
6 Nov 2013 at 02:30 UTC
Jump to comment: Most recent
Comments
Comment #1
omega8cc commentedWe don't expose PHP at all, not just PHP version, but not at all, so I don't really understand this suggestion. It would make sense for Apache with mod_php, but not for BOA. Where do you see PHP version used exposed publicly? Only site admin can see it in the status page etc and it is a good thing. Besides, it is childishly easy to determine if the site is powered by Drupal even if we would have fake headers all over the place, and it is rather obvious that Drupal runs on PHP, so?
Comment #2
realityloop commentedexamples:
http://realityloop.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
http://realityloop.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
Comment #3
omega8cc commentedAs I said, what non-generic, non-specific information is provided that way, besides obvious fact that Drupal is a PHP app?
Comment #4
realityloop commentedThe logo changes every version so it is possible to infer the php version from this.
http://stackoverflow.com/questions/4123558/turning-off-random-php-gif-logo
Comment #5
omega8cc commentedInteresting! Thanks. I think we will rather deny these requests instead of disabling expose_php, to not break the PHP status page (it would remove the image also there etc). Do you think it should fix the problem?
Comment #6
realityloop commentedSounds perfectly acceptable to me.
It looks like there are actually 4 of them that should potentially be blocked:
http://www.0php.com/php_easter_egg.php
The 1st answer here has regex for htaccess that may help with nginx:
http://stackoverflow.com/questions/10458610/how-can-i-disable-phps-easte...
Comment #7
omega8cc commentedCommitted in http://drupalcode.org/project/barracuda.git/commit/2dd75bd