php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #53256 Protect .ini files by default.
Submitted: 2010-11-07 19:39 UTC Modified: 2010-11-10 03:15 UTC
From: geoffreyfishing at users dot sourceforge dot net Assigned:
Status: Wont fix Package: PHP options/info functions
PHP Version: 5.3.3 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: geoffreyfishing at users dot sourceforge dot net
New email:
PHP Version: OS:

 

 [2010-11-07 19:39 UTC] geoffreyfishing at users dot sourceforge dot net
Description:
------------
With the parse_ini_file() function, many people are coming up with different ways 
to protect ini files (need proof? check the comments for that function). The idea 
here is to register the .ini file with the PHP parser, and then have the parser 
just return like a blank screen or something.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-07 22:31 UTC] cataphract@php.net
I don't see the usefulness. Why would the webserver be configured to read the ini files as PHP files in the first place?... Am I missing something?
 [2010-11-07 23:20 UTC] geoffreyfishing at users dot sourceforge dot net
I think you are misunderstanding my idea. The idea is not to parse the ini file, 
the idea is to prevent the ini file from being directly requested. Like for 
example if the ini file got requested, php.exe would just return an empty string. 
Or, you could have an "access denied" error, or "404 not found" error or something 
else.
 [2010-11-07 23:36 UTC] cataphract@php.net
Why would PHP be called for an .ini file? The web servers are generally configured for only calling PHP for .php files.
 [2010-11-08 04:35 UTC] geoffreyfishing at users dot sourceforge dot net
Well, you could make it so that the web server called PHP for ini files. The point 
is that almost any ini file on a web server is probably not to be read by everyone 
on the web. I am just proposing that you use PHP to block access to ini files.

Its only a suggestion, and Im not in charge. Do whatever you want with it.
 [2010-11-09 16:20 UTC] aharvey@php.net
-Status: Open +Status: Wont fix
 [2010-11-09 16:20 UTC] aharvey@php.net
I see no reason for this. If you don't want .ini files served by your Web server, you can easily disable serving files with that extension in pretty much every Web server in existence. PHP is the wrong tool for the job.
 [2010-11-10 03:14 UTC] geoffreyfishing at users dot sourceforge dot net
Your right. I had just seen a similarity in how ASP.NET disables viewing of 
web.config files, but PHP is not ASP.NET, and that might even be a curse word 
around here.

Thanks, no harm intended.
 [2010-11-10 03:15 UTC] geoffreyfishing at users dot sourceforge dot net
Your right. I had just seen a similarity in how ASP.NET disables viewing of 
web.config files, but PHP is not ASP.NET, and that might even be a curse word 
around here.

Thanks, no harm intended.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 09:01:24 2019 UTC