Skip to content

This article is a NOTHING #4517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Bill5203 opened this issue Mar 6, 2025 · 1 comment
Open

This article is a NOTHING #4517

Bill5203 opened this issue Mar 6, 2025 · 1 comment

Comments

@Bill5203
Copy link

Bill5203 commented Mar 6, 2025

From manual page: https://php.net/security.cgi-bin.doc-root

You stated the problem but did not answer it. There is no explanation on how to set it or where to find further info. The link user_dir takes to is also useless nothing. The whole manual is a mess I couldn't find anything useful.

The way to create such manuals is to:

  • state the issue
  • explain in details
  • provide solution (give an example where appropriate)
  • explain the solution in detail
  • provide further reading (where appropriate)

Yes, this is LOTS of work.
If it is not done, the pages become cyber-rubbish creating headaches and frustration. Like this one.
@philip
Copy link
Member

philip commented Mar 6, 2025

This is how ChatGPT turned this text using your desired format as a prompt, does it make more sense to you?

Securely Configuring PHP Script Execution

Overview

Placing executable scripts, such as PHP files, directly into web-accessible directories can introduce security vulnerabilities. If a server misconfiguration causes these scripts to be displayed as plain text instead of executing, sensitive information like passwords or proprietary code may be exposed.

Issue

If PHP scripts reside within web-accessible directories and the server fails to interpret them, the script's content—including sensitive credentials and source code—can become visible to users.

Recommended Solution

To enhance security, store PHP scripts in a dedicated directory separate from the web document root. PHP offers two configuration directives to accomplish this separation:

  • doc_root: Specifies the root directory from which PHP scripts will exclusively execute.
  • user_dir: Allows individual users to have separate directories independent of the main doc_root.

Configuring doc_root (Detailed Explanation)

Define the doc_root in your PHP configuration (php.ini) or via the environment variable PHP_DOCUMENT_ROOT. Once defined, PHP's CGI mode strictly limits script execution to this directory, preventing accidental execution outside it.

Example:

doc_root = /var/www/php-scripts

With this configuration, accessing the URL:

http://example.com/script.php

results in executing the script:

/var/www/php-scripts/script.php

This configuration ensures no PHP script outside /var/www/php-scripts is executed, effectively safeguarding your environment.

Using user_dir for User-Specific Directories (Detailed Explanation)

The user_dir directive allows distinct user directories for script execution, separate from the global doc_root.

  • If user_dir is not set:
    • URLs formatted like:
http://example.com/~user/script.php

will resolve literally to:

/var/www/php-scripts/~user/script.php
  • If user_dir is set, such as public_php, the URL:
http://example.com/~user/script.php

executes scripts located in the user's home directory:

/home/user/public_php/script.php

This configuration supports secure, user-specific script hosting independent of the main script directory.

Further Reading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@philip @Bill5203