CODEWITHSUNDEEP
phpsymfony
Shairyar
Shairyar

Reputation: 3356

Symfony Not able to access dev environment on production server

Okay, so I am trying to access the dev environment on production server to check a problem and I know I am supposed to add app_dev.php example.com/app_dev at the end of the URL and make sure my IP has been added in this file.

if (isset($_SERVER['HTTP_CLIENT_IP'])
    || isset($_SERVER['HTTP_X_FORWARDED_FOR'])
    || !(in_array(@$_SERVER['REMOTE_ADDR'], array('127.0.0.1', 'fe80::1', '::1')) || php_sapi_name() === 'cli-server')
) {
    header('HTTP/1.0 403 Forbidden');
    exit('You are not allowed to access this file. Check '.basename(__FILE__).' for more information.');
}

However I still see the message

You are not allowed to access this file. Check app_dev.php for more information.

What else I am missing?

Upvotes: 1

Views: 552

Answers (3)

Kal Zekdor
Kal Zekdor

Reputation: 1224

I think that bit of code is just broken outright. As far as I know, isset($_SERVER['HTTP_X_FORWARDED_FOR']) is always set, even for local requests.

I had to rewrite the check to something more robust, as it suggested.

// Feel free to remove this, extend it, or make something more sophisticated.

Upvotes: 1

phpisuber01
phpisuber01

Reputation: 7715

For the purpose of testing, comment out the whole block and delete the file when your finished testing.

Ideally, you would completely remove those files on a production deployment anyways as it opens you up to potential security loopholes:

  1. Someone with good knowledge of Symfony and some ninja-level skills could bypass this and cause heartache.

  2. An attacker may assume other similar development files may exist such as /config.php and exploit those also.

Again, just comment out the block instead of trying to program it to work. The files should not exist in production anyways.

Upvotes: 3

tftd
tftd

Reputation: 17062

The reason causing your problems is the php_sapi_name(). If you are running the PHP built in server, the SAPI will be cli-server, therefore causing an 403 error. It is strongly recommended that you do NOT use the built-in server on production servers.

If you, however, want to use the built in server, you need to remove that check and everything should be working.

$allowed = array('127.0.0.1', 'fe80::1', '::1');

if(isset($_SERVER['HTTP_CLIENT_IP']) || isset($_SERVER['HTTP_X_FORWARDED_FOR']) || !in_array(@$_SERVER['REMOTE_ADDR'], $allowed)) {
    header('HTTP/1.0 403 Forbidden');
    exit('You are not allowed to access this file. Check '.basename(__FILE__).' for more information.');
}

Upvotes: 0

Related Questions