How to Secure PHP code in htm Pages and Partials?

- 1 answer


I'm using OctoberCMS, based on Laravel and Twig, with Nginx and PHP7.0-FPM.

I make a Page or Partial using the CMS Backend Editor. Can edit the HTML Markup and Code.


The Page will render as localhost/mypage and hides the php source code.

But I'm able to go to localhost/themes/mysite/pages/mypage.htm in the browser and view the Twig markup and PHP comments in plain text.

And on some pages I can view all of the PHP and Laravel code like connection to database names and tables.

Anything that is in function onStart() in the Code editor, even though its wrapped in php tags in the htm file.

mypage.htm output:

php plaintext

However when viewing a .php file, it only shows the output and not the source.

I tried to change the page file extension to php instead of htm but get the error.

Invalid file extension: php. Allowed extensions are: htm.



Have you setup nginx correctly to blacklist those and other unpermitted files?

Alternatively, you can take a whitelist approach to security and utilize the october:mirror command: