How does Apache handle index.php/some_text webpage requests? It returns http status 200 instead of expected 404

rbassett
December 15, 2021
257 views
0 votes
2 Answers

I have a website on a shared server with some very basic php pages in the public_html directory, as well as some sub-directories with other pages in:

index.php
test.php
subdir1/index.php
subdir2/index.php

Looking at my visitor logs, I’m getting visits to index.php/some_text and index.php/some_other_text and so on. Naively I would expect those to receive an http status 404 as a) there is no directory called index.php and b) no files exist called some_text and some_other_text. However Apache is returning the file index.php with an http status 200.

Is there something I can set in .htaccess that will return a 404 status in these cases, without restricting the valid subdirectories?

I found some suggestions to set "DirectorySlash Off" but that made no difference. I’ve also tried

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ - [R=404,L]

But that too made no difference.
Thanks.

Tags: .htaccess apache

Answers

Chosen as BEST ANSWER
- rbassett
- December 16, 2021 at 5:03 pm
- 0 votes
0
I have since tried
```
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/[^/]+.php/.*$ 
RewriteRule ^(.*)$ - [R=404,L]
```
This will only then impact *.php files in the root directory, leaving any subdirectories alone. I think. It produces the behaviour I want but it doesn't feel like a good solution.

(Edit)

- MrWhite
- December 15, 2021 at 8:25 pm
- 0 votes
0
I’m getting visits to index.php/some_text and index.php/some_other_text and so on.

The part of the URL that starts with a slash and follows a physical file is called additional pathname information (or path-info). So, /some_text (in your example) is path-info.

In this case index.php receives the request and /some-text is passed to the script via the PATH_INFO environment variable (in PHP this is available in the $_SERVER['PATH_INFO'] superglobal).

By default, whether path-info is valid on the URL is dependent on the handler responsible for the request. PHP files allow path-info by default, but .html files do not. So, by default /index.html/some-text will result in a 404.

You can disable path-info by setting AcceptPathInfo Off in your Apache config / .htaccess file. By doing this, a request for /index.php/some-text will now result in a 404.

Conversely, if you set AcceptPathInfo On then /index.html/some-text will also be permitted.

Alternatively, you can use mod_rewrite in .htaccess to explicitly trigger a 404 for such URLs. For example, to target .php files (anywhere) only:
```
RewriteEngine On

RewriteRule .php/ - [R=404]
```
Or, just .php files in the document root:
```
RewriteRule ^[^/]+.php/ - [R=404]
```
Or, you can explicitly check the PATH_INFO server variable to block any URL that includes path-info. For example:
```
RewriteCond %{PATH_INFO} .
RewriteRule . - [R=404]
```
Note that some frameworks use path-info to route requests in a front-controller pattern (as opposed to using a query string or parsing the requested URI directly).

Reference:
- https://httpd.apache.org/docs/2.4/mod/core.html#acceptpathinfo
I found some suggestions to set "DirectorySlash Off"

That has nothing to do with this issue. Setting DirectorySlash Off prevents mod_dir from appending trailing slashes to requests for directories.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.