PHP-7.1.6 - enable with security.limit_extensions .shtml files? - php-7.1

How to enable in PHP-7.1.6, setting "security.limit_extensions", execution of .shtml files? I get error "Access to the script '/var/www/..../file.shtml' has been denied (see security.limit_extensions)" The file.shtml is following
<?php include ("web.php"); ?>

1 - Locate the php configuration file
php-fpm.conf
2 - Edit the line for security.limit_extensions, adding the .shtml to it.
security.limit_extensions = .php .html .shtml
3 - If the line doesn't exist, just add to the file anyway
4 - Remember to reload the php service (I would recommend also restarting the server)

Related

Serving html files has no extension

I have html files and has no html extension, when I link to this files apache downloads file instead open it.
How can I serve this html files? (with htaccess)
Note: I need this to serve more than 10k html files not for single special file
Per the documentation for the <Files> directive you can use wildcard strings with ? and *, and nest the Files directives inside Directory directives, to target any number of files without explicitly defining their names. Within the directive, use AddType or ForceType as you need. If you want to target all files, for example, and serve them all with the same mime type (in this example, HTML), then you might use:
<Files "*">
ForceType text/html *
</Files>

500 Internal Server Error when moving Yii project to cPanel

I have some problem when moving Yii project folder to public_html in cPanel File Manager. In localhost http://localhost:8888/eKehadiran/index.php it works fine, but when i'm moving the project to public_html and run ekehadiran.com/index.php, the ERROR was appear.
This is some related file on public_html:
.htaccess
AddHandler application/x-httpd-php54 .php .php5 .php4 .php3
index.php
<?php
// change the following paths if necessary
$yii=dirname(__FILE__).'/framework/yii.php';
$config=dirname(__FILE__).'/protected/config/main.php';
// remove the following lines when in production mode
defined('YII_DEBUG') or define('YII_DEBUG',true);
// specify how many levels of call stack should be shown in each log message
defined('YII_TRACE_LEVEL') or define('YII_TRACE_LEVEL',3);
require_once($yii);
Yii::createWebApplication($config)->run();
What error are you getting in error_logs file ? Please check that and try to disable that .htaccess line.
try adding following lines in index.php
<?php
error_reporting(-1);
ini_set('display_errors', true);
// change the following paths if necessary
it should show you the error

How can I prevent scripts from running inside a directory?

I have a files directory for my image storage in my web root folder, i want to know how to secure that folder. i prevent people from uploading scripts to that folder, i check file extensions, if it is not an image then it will not save to that folder.
but faking extensions are done easily, what happens if someone manage to upload a script to my files directory and access that from the browser
so i need a way to prevent scripts from running inside that folder and only allow images to run.
i know htaccess can do that but i dont know how to set it up. my .htaccess file is like this:
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
ForceType application/octet-stream
<FilesMatch "(?i)\.(gif|jpe?g|png)$">
ForceType none
</FilesMatch>
Options All -Indexes
but it is not working, i saved a php file in that folder then tried to accessed it from the browser and i can still access it. do you know how to make this work? or if you have more secure approach to this, please tell me.
thank you
I think that it isn't working because you have only added an extra handler, you haven't removed the other handlers.
It is easiest to put another .htaccess file in the folder you want to protect (rather than messing with the match directive) that contains:
# Fix PHP, you should do matching commands for JSP and ASP, & html
RemoveType application/x-httpd-php php
# .... add the other remove-handler statements here .... #
# Optionally make these equivalent to text files.
# UPDATE: Taken this out as you dont want people to see PHP files at all
#AddType text/html php
# To disable cgi and server side includes & indexes
# You need to check the setup of Apache, some of the file types
# listed should already be handled as CGI (.pl, .py, .sh)
Options -ExecCGI -Includes -Indexes
# Completely block access to PHP files
<FilesMatch "\.(php|phps|html|htm|jsp|asp)$">
Order allow,deny
Deny from all
</Files>
# Add in any additional types to block
That covers PHP and CGI, you should do matching commands for JSP and ASP
UPDATE: Added code to completely block access to PHP files - sorry, thought initially that you simply didn't want them executing. Also note that I've commented out the line that turns PHP files into text files.

htaccess and AddType/Addhandler

My main site script uses php4, and it works fine with the AddHandler. Since the server is configured or php5.3 by default I assume when adding another script to a subdirectory all i would have to do is use one of the following Addhandler/AddType below but, it does not work. When I added anyone of the 3 lines before the pages are sent to the browser as a download so it doesn't process the file for display at all. my htaccess is completely blank expect for the Addhandler. Also this is on a dedicated server.
AddType application/php5-script php html tpl
AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml .tpl .html
AddHandler application/x-httpd-php53 .php .php4 .php3 .phtml .tpl .html
to explain better..
1. www.site.com is run php4 (script req. it)
2. www.site.com/newscript/ needs php5
3. i put a .htaccess in the www.site.com/newscript/ folder with
Addhandler for php5 but it doesn't work
Am a bit confused by your question, do you mean you are running php 4 and 5 on the same server and want some parts of the site to run php4, some php5?
If it's a new server and you can't get the posted code to work have you tried
AddType application/x-httpd-php .php .php4 .php3 .phtml .tpl .html
Server needs to be running latest PHP 5.3, you can downgrade with .htaccess to PHP 4 but if server is not running at least PHP 5.3 you can not make it do so with .htaccess. Got it?

What is the difference between AddHandler and AddType in htaccess files

Can someone explain what the difference is between AddType and AddHandler in htaccess files? I want to make the settings such that I can have a javascript file (.js) be run through the server as though it were a php file (application/x-httpd-php5) but then sent to the user's browser as a (text/javascript) file. How might i configure this?
AddHandler http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler tells the server how to handle the file type. AddType http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addtype tells the server what MIME type to give the client.
I doesn't sound like a great idea to parse all .js files as php. I would suggest using a .htaccess Rewrite directive to map the .js files in question, to your php script.
RewriteRule /phpjs/.* /phpjs/js.php
Then add
header("Content-Type: text/javascript");
to your php output.

Resources