5

I have one file that should only be accessible via the POST method.

/var/www/folder/index.php

The document root is /var/www/ and index.php is nested inside a folder.

Version of Apache is: 2.4.4.
My configurations are as follows:

<Directory "/var/www/folder">
    <Files "index.php">
        order deny,allow
        Allow from all
        <LimitExcept POST>
            Deny from all
        </LimitExcept>
    </Files>
</Directory>

I visit my server at 127.0.0.1/folder but I can GET and POST the file just like normal.

I've also tried reversing the order, order allow,deny, require, limitexcept and limit.

How can I only allow POST requests to be processed by one file in a folder?

Dave Chen
  • 53
  • 1
  • 1
  • 10

4 Answers4

6

You could use the Require directive:

<Directory "/var/www/folder">
    <Files "index.php">
        Require method POST
    </Files>
</Directory>

However, since that's part of the authorization section, you may want to try this instead:

<Directory "/var/www/folder">
    <Files "index.php">
        <LimitExcept POST>
            Order allow,deny
            Deny from all
        </LimitExcept>
    </Files>
</Directory>
Jack
  • 636
  • 4
  • 15
4

If your apache config tricks don't work, you could do it in the index.php itself. At the top of the file add something like thisthis:

<?php
if($_SERVER['REQUEST_METHOD'] != "POST") {
    header("HTTP/1.0 403 Forbidden");
    print("Forbidden");
    exit();
}
Dennis Kaarsemaker
  • 18,793
  • 2
  • 43
  • 69
  • 2
    Sorry, I would prefer to do this at this at the apache level. If this were a PHP issue, I'd post this on StackOverflow :) – Dave Chen Oct 18 '13 at 08:13
1

The Order, Allow and Deny family of access control directives have been deprecated in favour of mod_authz_host.

This may actually be the reason that you existing config is not working, as any conflicting Require directives will take precedence of your config (which is still supported by means of mod_access_compat, but these directives will be removed in a future version).

Since you a using the 2.4 family, you should also be using the new style directives. I have tested the below configuration on 2.4.4 and it works as desired:

<Directory "/var/www/folder">
    Require all granted
    <Files "index.php">
        <LimitExcept POST>
            Require all denied
        </LimitExcept>
    </Files>
</Directory>

Jack's observation that you could use the Require method directive is also correct and arguably a more 2.4-like way of doing this.

DaveRandom
  • 702
  • 1
  • 8
  • 15
-1

A rewrite condition would be indeed more efficient but less secure due to the use of Regex which can be tricky sometimes.

Dr I
  • 943
  • 16
  • 33
  • 1
    Can you provide an example of where this might be insecure? – Dave Chen Oct 18 '13 at 05:18
  • HI Dave, Indeed, this solution completely fit your needs and it is secure unless you're using it on random/variable directories. for example: A regex looking for a specific directory or a not too variable one, will be able to do the job correctly. Now lets states that you wanna do this filtering works on a really variable format of directory (on API randomly ;-) ) then you'll have to deal with a potentially large amount of possibility which can lead to a none expected result. I mean, are you sure that your regex will be catching every possible URI ? Are you sure that it will evolve? – Dr I Oct 18 '13 at 09:07