[Phplogcon-dev] not allow certain files to be access

Rainer Gerhards rgerhards at hq.adiscon.com
Wed Dec 7 17:01:47 CET 2005 

Warning: the php-noob is writing about php ;)

Would it be possible in php to set a variable (let's call if
"validcall") in the main file and check that in each of the
to-be-included files? So if they would be called directly, "validcall"
would be unset. I've just similar things in ASP apps in the dark ages ;)
It sounds pretty OS-independent but I am probably not aware of the
quirks ;)

Rainer
PS: I think there isn't such thing as "too much security"...

> -----Original Message-----
> From: phplogcon-dev-bounces at lists.adiscon.com 
> [mailto:phplogcon-dev-bounces at lists.adiscon.com] On Behalf Of 
> Brian Shea
> Sent: Wednesday, December 07, 2005 4:58 PM
> To: phplogcon-dev at lists.adiscon.com
> Subject: Re: [Phplogcon-dev] not allow certain files to be access
> 
> Ah, that would be a problem. Easily fixed with a config 
> setting or checking
> the os environment.
> 
> Nor do i, buy why let someone else find it and exploit it if one does
> exist!!!
> 
> This is more for the type of files i use in 1.2.4_bgs where 
> all the Auth is
> done in index.php and each page is loaded by an include statement.
> 
> I'm just so use to having them there that i feel better with them.
> 
> 
> 
> On 12/7/05, Michael Meckelein <mmeckelein at hq.adiscon.com> wrote:
> >
> > Brian,
> >
> > This approach works only in a linux environment. Note that 
> Windows uses
> > \ instead linux's / for directory browsing.
> >
> > E.g. file in
> > - windows: c:\webserver\phplogcon\config.php
> > - linux: /var/www/phplogcon/config.php
> >
> > Furthermore, I have to admit that I am not aware of an 
> actually security
> > issue by accessing those file directly via url. Of course it is not
> > intended to call files like config.php directly. To 
> prohibit accessing
> > files directly which are not intended to access directly is 
> of course a
> > good security concept. But maybe I oversee a security issue with the
> > current (without your check) approach?
> >
> > Michael
> >
> > > -----Original Message-----
> > > From: phplogcon-dev-bounces at lists.adiscon.com 
> [mailto:phplogcon-dev-
> > > bounces at lists.adiscon.com] On Behalf Of Brian Shea
> > > Sent: Wednesday, December 07, 2005 6:36 AM
> > > To: phplogcon-dev at lists.adiscon.com
> > > Subject: Re: [Phplogcon-dev] not allow certain files to be access
> > >
> > > Michael, here is the code section that will disallow access to php
> > files
> > > from the URL.
> > >
> > > It basically looks at the file name in the 
> $_SERVER[script_name] to
> > see if
> > > it mathces itself.
> > >
> > > // BGS -- do not allow access from URL
> > > $filename =  substr(__FILE__, strrpos( __FILE__, "/" ));
> > > $requestname = substr($_SERVER['SCRIPT_NAME'], strrpos(
> > > $_SERVER['SCRIPT_NAME'], "/" ));
> > >
> > > if( $filename == $requestname )
> > > {
> > >     session_unset();
> > >     header("Location: ../index.php");
> > >     exit;
> > > }
> > > // BGS end
> > >
> > >
> > >
> > > On 12/6/05, Brian Shea <bgshea at gmail.com> wrote:
> > > >
> > > > The code is just below the GNU license marked with
> > > >
> > > > // BGS --
> > > >
> > > > // BGS end
> > > >
> > > > the first section is the trailing '/' (slash) removal, 
> the second
> > > section
> > > > is the diss allow. I dont have the code in front of me 
> to look at.
> > > >
> > > >
> > > > On 12/6/05, Michael Meckelein <mmeckelein at hq.adiscon.com> wrote:
> > > > >
> > > > > Hi Brian,
> > > > >
> > > > > I need your help. Please can you point me to where I 
> can find the
> > > > > following modification?
> > > > >
> > > > > > added php code to not allow certain files to be 
> access by the
> > > > > > URL!!! esp. include.php and config.php
> > > > >
> > > > > Thank you.
> > > > >
> > > > > Best regards,
> > > > > Michael
> > > > > _______________________________________________
> > > > > Phplogcon-dev mailing list
> > > > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > > > >
> > > >
> > > >
> > > _______________________________________________
> > > Phplogcon-dev mailing list
> > > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> > _______________________________________________
> > Phplogcon-dev mailing list
> > http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
> >
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>

More information about the Phplogcon-dev mailing list