I have a website on a shared server with some very basic php pages in the public_html directory, as well as some sub-directories with other pages in:
index.php
test.php
subdir1/index.php
subdir2/index.php
Looking at my visitor logs, I’m getting visits to index.php/some_text and index.php/some_other_text and so on. Naively I would expect those to receive an http status 404 as a) there is no directory called index.php and b) no files exist called some_text and some_other_text. However Apache is returning the file index.php with an http status 200.
Is there something I can set in .htaccess that will return a 404 status in these cases, without restricting the valid subdirectories?
I found some suggestions to set "DirectorySlash Off" but that made no difference. I’ve also tried
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ - [R=404,L]
But that too made no difference.
Thanks.
2
Answers
I have since tried
This will only then impact *.php files in the root directory, leaving any subdirectories alone. I think. It produces the behaviour I want but it doesn't feel like a good solution.
The part of the URL that starts with a slash and follows a physical file is called additional pathname information (or path-info). So,
/some_text
(in your example) is path-info.In this case
index.php
receives the request and/some-text
is passed to the script via thePATH_INFO
environment variable (in PHP this is available in the$_SERVER['PATH_INFO']
superglobal).By default, whether path-info is valid on the URL is dependent on the handler responsible for the request. PHP files allow path-info by default, but
.html
files do not. So, by default/index.html/some-text
will result in a 404.You can disable path-info by setting
AcceptPathInfo Off
in your Apache config /.htaccess
file. By doing this, a request for/index.php/some-text
will now result in a 404.Conversely, if you set
AcceptPathInfo On
then/index.html/some-text
will also be permitted.Alternatively, you can use mod_rewrite in
.htaccess
to explicitly trigger a 404 for such URLs. For example, to target.php
files (anywhere) only:Or, just
.php
files in the document root:Or, you can explicitly check the
PATH_INFO
server variable to block any URL that includes path-info. For example:Note that some frameworks use path-info to route requests in a front-controller pattern (as opposed to using a query string or parsing the requested URI directly).
Reference:
That has nothing to do with this issue. Setting
DirectorySlash Off
prevents mod_dir from appending trailing slashes to requests for directories.