How to Secure PHP code in htm Pages and Partials?
I'm using OctoberCMS, based on Laravel and Twig, with Nginx and PHP7.0-FPM.
I make a Page or Partial using the CMS Backend Editor. Can edit the HTML Markup and Code.
The Page will render as localhost/mypage and hides the php source code.
But I'm able to go to localhost/themes/mysite/pages/mypage.htm in the browser and view the Twig markup and PHP comments in plain text.
And on some pages I can view all of the PHP and Laravel code like connection to database names and tables.
Anything that is in function onStart() in the Code editor, even though its wrapped in php tags in the htm file.
mypage.htm output:
However when viewing a .php file, it only shows the output and not the source.
I tried to change the page file extension to php instead of htm but get the error.
Invalid file extension: php. Allowed extensions are: htm.
Answer
Have you setup nginx correctly to blacklist those and other unpermitted files? http://octobercms.com/docs/setup/configuration#nginx-configuration
Alternatively, you can take a whitelist approach to security and utilize the october:mirror command: http://octobercms.com/docs/setup/configuration#public-folder
Related Questions
- → "failed to open stream" error when executing "migrate:make"
- → October CMS Plugin Routes.php not registering
- → OctoberCMS Migrate Table
- → OctoberCMS Rain User plugin not working or redirecting
- → October CMS Custom Mail Layout
- → October CMS - How to correctly route
- → October CMS create a multi select Form field
- → October CMS - Conditionally Load a Different Page
- → How to disable assets combining on development in OctoberCMS
- → October CMS - Radio Button Ajax Click Twice in a Row Causes Content to disappear
- → OctoberCms component: How to display all ID(items) instead of sorting only one ID?
- → In OctoberCMS how do you find the hint path?
- → How to register middlewares in OctoberCMS plugin?