From b4190f22d34134635e4d51ccfb6ce320be3833ee Mon Sep 17 00:00:00 2001
From: Javier Spagnoletti <phansys@gmail.com>
Date: Mon, 22 Sep 2014 00:05:06 -0300
Subject: [PATCH] [Security][Proposal][WIP] Added check in app.php front
 controller in order to avoid explicit requests being served by PROD env,
 except while Apache mod_alias redirect fallback.

Before:
```
GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 200 OK
```

After:
```
GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 404 Not found
```

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Doc PR        |
---
 web/app.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/web/app.php b/web/app.php
index c5c2640906..efc4252cc4 100644
--- a/web/app.php
+++ b/web/app.php
@@ -3,6 +3,20 @@
 use Symfony\Component\ClassLoader\ApcClassLoader;
 use Symfony\Component\HttpFoundation\Request;
 
+// This check prevents explicit access to front controller, except while Apache
+// mod_rewrite fallback
+// Feel free to remove this, extend it, or make something more sophisticated.
+if (preg_match('#^/(.[^/]+)#', $_SERVER['REQUEST_URI'], $matches)
+    && $_SERVER['SCRIPT_NAME'] === $matches[0]
+) {
+    if (false === stripos($_SERVER['SERVER_SOFTWARE'], 'apache')
+        || (function_exists('apache_get_modules') && in_array('mod_rewrite', apache_get_modules()))
+    ) {
+        header('HTTP/1.0 404 Not found');
+        exit();
+    }
+}
+
 $loader = require_once __DIR__.'/../app/bootstrap.php.cache';
 
 // Enable APC for autoloading to improve performance.