Preventing access to backup PHP~ files in Apache

Many Linux command-line people use the VI editor; but if you’re like me and prefer Emacs, you often run into the “problem” that Emacs creates backup files using the original filename and appending a tilde (~) to the end of the filename. E.g. “secret.conf.php” becomes “secret.conf.php~”.

There are a number of ways to go around this, of course. One way is to configure a separate directory for each user where Emacs stores its backup files, and then make that directory readable only by the user.

Why is this a problem? Well, if you’re using Emacs to quickly modify PHP applications’ configuration files, like the database configuration file, you’ll leave a trail of .php~ files. These files are typically not parsed by the PHP processor, instead they are handled by the text file handler in Apache. Meaning, if I enter the url http://myverycoolsite.com/secret.conf.php~, Apache will gladly display its actual contents, just like if you were editing the file.

This can be prevented by using the .. configuration construct in Apache like so:

<Files ~ “\.(html\~|htmls\~|php\~|phps\~|php3\~|php4\~)$”>
  Order allow,deny
  Deny from all
</Files>

Perhaps not the most elegant of solutions, but it works. It will result in an “Forbidden” response from Apache. Check out the Apache documentation for more details on this directive.

You can go back to sleep now 🙂

One thought on “Preventing access to backup PHP~ files in Apache”

  1. Hi,

    Let me take this a step higher. I would affirm that if you have trouble with .php~ files on anything else but your local development box, your way of developing and releasing software is wrong.

    1) Never change code on the prod machines
    2) Develop locally, stage remotely, pre-prod remotey, then release

    And all of the above using a propre environment that does all the nasty for you. Virtualization, anyone? 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.