Restrict executable php files to bare minimum

Created on 6 January 2025, about 2 months ago

Problem/Motivation

Any PHP files within the core directory are executable from the browser.

This is a result of Change record: Limited PHP file execution in .htaccess (Apache webserver) → , which was worked on via #1587270: Forbid execution of PHP files in subfolders by default (except those needed by core) → .

We should not be able to browse *.php files, accept those specifically documented as executable, such as authorize.php or install.php.

Steps to reproduce

Browse the path /core/modules/path_alias/src/AliasManager.php. You'll see an error, not a 4XX. This file is being executed.

Proposed resolution

There are some paths in Docroot and the core/ directory that are supposed to be executable. However, I think we need to revisit the open nature of the current restriction.

Browsing any undocumented, executable .php file should result in a 4XX, and the PHP script of that file should not be executed.

Remaining tasks

TBD

Release notes snippet

TBD

✨ Feature request

Status

Active

Version

11.0 🔥

Component

other

Created by

🇺🇸United States jcandan

Live updates comments and jobs are added and updated live.

.htaccess

Comments & Activities

Issue created by @jcandan
Comment about 2 months ago →
🇺🇸United States jcandan
Comment about 2 months ago →
🇺🇸United States jcandan
Curious for community thoughts on the following change:

RewriteCond %{REQUEST_URI} !/core/(authorize|install|rebuild)\.php$
Comment about 2 months ago →
🇳🇿New Zealand quietone
Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies → .

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024