X-Git-Url: https://jasonwoof.com/gitweb/?a=blobdiff_plain;f=.htaccess;h=1c77df30d7e6a67dc04e9a11c64632de431f155f;hb=0fe7d3a2caae8d256406209020ee8a160cc04faf;hp=c496a282feb1c293579655da7846a53b69519ddf;hpb=7eee99585040417e2be07833570d11ccd7e66c44;p=wfpl-cms.git

diff --git a/.htaccess b/.htaccess
index c496a28..1c77df3 100644
--- a/.htaccess
+++ b/.htaccess
@@ -7,9 +7,7 @@ DirectoryIndex disabled
 AddDefaultCharset UTF-8
 AddCharset UTF-8 .css
 RewriteEngine  on
-RewriteRule    ^[^/.]*$  /wfpl_main.php [L]
-# Close loophole in security restriction/exception below
-RewriteRule    ^.*/.*wfpl_main.php$  /wfpl_main.php [L]
+RewriteRule ^[^/.]*$ /wfpl_main.php [L]
 
 <FilesMatch "\.(css|jpg|png)$">
 	ExpiresActive On
@@ -23,10 +21,10 @@ SetHandler default-handler
 Options SymlinksIfOwnerMatch
 php_flag engine off
 RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
-# Exception: allow access to wfpl_main.php
-#
-# this allows access to any files named "wfpl_main.php" anywhere, so there's a
-# rewrite rule above to use the top-level one, no matter which was requested.
+# code execution exception: allow only /wfpl_main.php
+# <Files> matches regardless of directory/path, so rewrite php in subdirs
+RewriteRule ^wfpl_main\.php$  - [L]
+RewriteRule .*\.php$ - [L,R=404]
 <Files "wfpl_main.php">
 	php_flag engine on
 	SetHandler application/x-httpd-php