Home > Mobile >  How does Apache handle index.php/some_text webpage requests? It returns http status 200 instead of e
How does Apache handle index.php/some_text webpage requests? It returns http status 200 instead of e

Time:12-17

I have a website on a shared server with some very basic php pages in the public_html directory, as well as some sub-directories with other pages in:

index.php
test.php
subdir1/index.php
subdir2/index.php

Looking at my visitor logs, I'm getting visits to index.php/some_text and index.php/some_other_text and so on. Naively I would expect those to receive an http status 404 as a) there is no directory called index.php and b) no files exist called some_text and some_other_text. However Apache is returning the file index.php with an http status 200.

Is there something I can set in .htaccess that will return a 404 status in these cases, without restricting the valid subdirectories?

I found some suggestions to set "DirectorySlash Off" but that made no difference. I've also tried

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ - [R=404,L]

But that too made no difference. Thanks.

CodePudding user response:

I'm getting visits to index.php/some_text and index.php/some_other_text and so on.

The part of the URL that starts with a slash and follows a physical file is called additional pathname information (or path-info). So, /some_text (in your example) is path-info.

In this case index.php receives the request and /some-text is passed to the script via the PATH_INFO environment variable (in PHP this is available in the $_SERVER['PATH_INFO'] superglobal).

By default, whether path-info is valid on the URL is dependent on the handler responsible for the request. PHP files allow path-info by default, but .html files do not. So, by default /index.html/some-text will result in a 404.

You can disable path-info by setting AcceptPathInfo Off in your Apache config / .htaccess file. By doing this, a request for /index.php/some-text will now result in a 404.

Conversely, if you set AcceptPathInfo On then /index.html/some-text will also be permitted.

Note that some frameworks use path-info to route requests in a front-controller pattern (as opposed to using a query string or parsing the requested URI directly).

Reference:


I found some suggestions to set "DirectorySlash Off"

That has nothing to do with this issue. Setting DirectorySlash Off prevents mod_dir from appending trailing slashes to requests for directories.

CodePudding user response:

I have since tried

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/[^/] \.php/.*$ 
RewriteRule ^(.*)$ - [R=404,L]

This will only then impact *.php files in the root directory, leaving any subdirectories alone. I think. It produces the behaviour I want but it doesn't feel like a good solution.

  • Related