Heine

  • Home
  • Drupal
  • About
Home

Cache or PHP-info is none of your business

Heine —Sat, 2007/02/24 - 09:41

I've a few extra scripts in the webroot of several sites to provide me with server information when I need it. These scripts tend to provide too much information to just anyone. Here's how you can quickly limit access to the Drupal admin user (the first user created on the site).

Create a file restrict.php. The example assumes all files (restrict.php, info.php and apc.php) are in the Drupal root directory. You need to adapt the include paths if you save the files elsewhere. You can make the access criteria as baroque as you need; the example simply checks on user id.

// restrict.php
// Check whether the users is the Drupal admin user.  Display an access denied page and exit if not.
require_once("./includes/bootstrap.inc");
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
if ($user->uid != 1) {
  drupal_maintenance_theme();
  drupal_set_title('Access denied');
  print theme('maintenance_page', '<p>Access denied. You are not authorized to access this page.</p>');
  exit();
}

You can, by simply including restrict.php, limit access to phpinfo ...

// Restrict access to info.php
require_once('./restrict.php');
phpinfo();

... or apc.php.

// ...
# Tie in to Drupal access control.
# Prevent non-uid 1 users from accessing this page.
require_once('./restrict.php');

$VERSION='$Id: apc.php,v 3.51 2005/04/02 02:07:41 rasmus Exp $';
//...

  • Drupal
  • PHP

Comments

I think

Submitted by Anonymous (not verified) on Sun, 2007/04/22 - 01:32

don't you need global $user; at the beginning?

Scope

Submitted by Heine on Thu, 2007/05/03 - 15:58

No, as we're mucking in the global scope, $user is already available.

changelog

Submitted by bertboerland (not verified) on Sat, 2008/04/05 - 18:38

so we obfuscate HTTP headers on d.o (just apache and php, no version information) and we hide phpinfo. but having a CHANGELOG.txt in the docroot is no bad? I dont get it Heine, and yes this s one of the 100 things I dont agree with "the rest" but learned to deal with it :)

Recent posts

  • Teampassword manager's password generator is biased
  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About