Posted by Rasmus Lerdorf on 10/04/36 11:05

Jason Barnett wrote:
>> the wrong permissions. Why does apache not server the 403 on the php
>> page? Maybe this is better off in the apache list.
>>
>>
>
> Yeah, this is really better on an Apache list... but...
> http://httpd.apache.org/docs/mod/core.html#errordocument

No, it has nothing to do with Apache. Apache doesn't open the file, PHP
does. You could argue that PHP should try to throw a 403 on a
permissions error, but the problem is that it is really too late in the
game to do so once we get to the content handler phase where PHP lives.
It could be hacked to do it a number of ways, but it wouldn't be pretty
and it wouldn't be very consistent either since we would have to only do
it if no output has been sent on the request yet. So a sub-request or
an auto-prepend would both change the behaviour.

Turning off display_errors really is the answer to the particular
security concern raised here.

-Rasmus

• Next in thread: Re: [PHP] 403 not working -- apache 2 / php5 / linux
• Prev in thread: Re: [PHP] 403 not working -- apache 2 / php5 / linux
• Next in forum: RE: [PHP] Comparison Operator
• Prev in forum: Re: [PHP] 403 not working -- apache 2 / php5 / linux
• Thread view: 403 not working -- apache 2 / php5 / linux

[Reply to this message]