Hi,
I'm trying to do something I think is pretty neat, but I've just about pulled my hair out by the behavior of my server. I'm hosting on GoDaddy, using a subdomain (www.mywebpage.com maps to /mywebpage), running Apache 1.3.33, and PHP 4.3.11. The goal is to use PHP to install an .htaccess file in a folder to forbid PHP files from being accessed from outside the server.
I have a working .htaccess file in one folder, and I have been trying to mimic it's nature as close as possible. Everytime I try to generate one elsewhere the results are spotty and inconsistent.
The PHP script checks to see if the folder's permissions are set to 0755 first, then creates and writes the '.htaccess' file and sets its permissions to 0644. This is what it writes (with no newline at the end, because that seemed to be a problem):
SetEnvIfNoCase Referer "^http://www.mywebpage.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.mywebpage.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://mywebpage.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://mywebpage.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.php$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>
<Files ~ "\.php$">
Order Allow,Deny
Deny from All
</Files>
The working example that I handmade works consistently, and when I compare my generated file and its container folder's stats [stat()] (permissions, owners, etc.) they are exactly the same in terms of owners and permissions. I have done a byte-by-byte comparison of the working .htaccess file to the non-working, and they are the same. Yet, one folder seems to just work, and the other's don't, or mysteriously do.
When the PHP script 'installs' the file, it generates an HTTP request to the directory + 'test.php', with a spoofed referrer. The working .htaccess file returns 403 Forbidden even if the file doesn't exist, but the script seems to get 404's or 200's.
I know I must be missing something, but what could it be?