Skip to content
This repository was archived by the owner on Nov 27, 2020. It is now read-only.

[Security][Proposal][WIP] Deny explicit requests to app.php/ #713

Closed
wants to merge 1 commit into from
Closed

[Security][Proposal][WIP] Deny explicit requests to app.php/ #713

wants to merge 1 commit into from

Conversation

phansys
Copy link

@phansys phansys commented Sep 22, 2014

Added check in app.php front controller in order to avoid explicit requests
being served by PROD env, except while Apache mod_alias redirect fallback.

Before:

GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 200 OK

After:

GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 404 Not found
Q A
Bug fix? no
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
Doc PR

This approach tries to help with the obscurity about which framework is used in the app (app.php is publicly known as Symfony's front controller).
It's a proposal, any suggestion or comment are welcome.

@phansys
[Security][Proposal][WIP]
b4190f2 
Added check in app.php front controller in order to avoid explicit requests
being served by PROD env, except while Apache mod_alias redirect fallback.

Before:
```
GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 200 OK
```

After:
```
GET http://localhost:8000/app.php/demo/hello/Fabien
HTTP/1.0 404 Not found
```

| Q             | A
| ------------- | ---
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Doc PR        |
@Tobion
Copy link
Contributor

Tobion commented Sep 22, 2014

app.php does not return 200 but redirect to the path without the front controller. See latest .htacess

@Tobion
Copy link
Contributor

Tobion commented Sep 22, 2014

If you prefer to get a 404 to not expose information about the framework, it should IMO also be done in the htaccess

@phansys
Copy link
Author

phansys commented Sep 22, 2014

@Tobion, I can see that you're right about 301 in Apache. Right now I'm using Nginx with FPM.
I did this proposal with the premise to aim for a agnostic-server solution, but if it's better I can try to find the way to update the docs about Nginx and Apache config to achieve this behavior.
But first, I think we must conclude how to proceed about obscurity in this way: 301 or 404.

@stof
Copy link
Member

stof commented Sep 22, 2014

IMO, it is better to handle it in your webserver config

@phansys
Copy link
Author

phansys commented Sep 22, 2014

@stof, what is your point about obscurity related to this PR (301 vs 404)?
I saw other PR's related to obscurity about the favicon.

@fabpot
Copy link
Member

fabpot commented Oct 4, 2014

Closing this PR as we won't have anything specific to Apache in our PHP code. Indeed, updating the documentation would be much better. 404 looks best to me.

@fabpot fabpot closed this Oct 4, 2014
@phansys
Copy link
Author

phansys commented Oct 4, 2014

Thank you @fabpot.
I just added symfony/symfony-docs#4295.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@phansys @Tobion @stof @fabpot