[Security][Proposal][WIP] Deny explicit requests to app.php/

[phansys]

Added check in app.php front controller in order to avoid explicit requests
being served by PROD env, except while Apache mod_alias redirect fallback.

Before:

GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 200 OK

After:

GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 404 Not found

Q	A
Bug fix?	no
New feature?	yes
BC breaks?	no
Deprecations?	no
Tests pass?	yes
Doc PR

This approach tries to help with the obscurity about which framework is used in the app (app.php is publicly known as Symfony's front controller).
It's a proposal, any suggestion or comment are welcome.

[Tobion]

app.php does not return 200 but redirect to the path without the front controller. See latest .htacess

[Tobion]

If you prefer to get a 404 to not expose information about the framework, it should IMO also be done in the htaccess

[phansys]

@Tobion, I can see that you're right about 301 in Apache. Right now I'm using Nginx with FPM.
I did this proposal with the premise to aim for a agnostic-server solution, but if it's better I can try to find the way to update the docs about Nginx and Apache config to achieve this behavior.
But first, I think we must conclude how to proceed about obscurity in this way: 301 or 404.

[stof]

IMO, it is better to handle it in your webserver config

[phansys]

@stof, what is your point about obscurity related to this PR (301 vs 404)?
I saw other PR's related to obscurity about the favicon.

[fabpot]

Closing this PR as we won't have anything specific to Apache in our PHP code. Indeed, updating the documentation would be much better. 404 looks best to me.

[phansys]

Thank you @fabpot.
I just added symfony/symfony-docs#4295.