I’ve released a small patch (read hack) that can help to prevent source code from being displayed by Apache. In theory this will work for any handler, but in specific it was designed with PHP in mind. The patch is intended to be a last line of defense if Apache attempts to display code with it’s default handler say due to a misconfiguration. It essentially filters out files with the defined extensions so that they cannot be handled by Apache’s default handler. This means you’ll have to hardcode your extensions into the patch. Please feel free to use this, but I’m not responsible for it not working as advertised. Lucas has posted a blog post a blog post about how we use something similar at Facebook. I’ve modified it for public release so hit me up with any problems.
Available via the MIT License
Download: ap_source_defense.patch (Facebook mirror)
Leave a reply