Monday, June 11, 2012

Check AllowOverride value using PHP?

Is there anyway to use PHP to check the value of AllowOverride too see if .htaccess will have any effect?

Source: Tips4all


  1. I am not aware of a clean, direct way to do this.

    If you have http access to the folder you want to check this for, you could write something into the .htaccess file that will trigger a certain kind of output.

    For example, you could set a header (this has an added dependency on mod_headers, though):

    <FilesMatch "\.(php)$">
    <IfModule mod_headers.c>
    Header set htaccess_works "yes"

    then make a request from PHP, and check the response headers, e.g. using curl's CURLOPT_HEADER. If they contain the htaccess_works header, it works.

    Another method that is terrible but guaranteed to work independently from specific Apache modules is to programmatically write gibberish into the .htaccess file, then to make a curl request like above, and to check for a 500 status code. If it throws a 500, the .htaccess file got interpreted. But as said, this is terrible - if possible, go with the headers method instead.

  2. In complement to @Pekka response:

    AllowOverride can be set to None or All, but as well to a specific list of terms:
    AuthConfig, FileInfo, Indexes, Limit, Options. So you could be allowed to use a Header instruction but not Deny, for example.

    So a way to test the real value of AllowOverride is to add this to your .htaccess:

    AuthName "Secret"
    ErrorDocument 404 index.php
    DefaultIcon /icon/unknown.xbm
    Allow From All
    Options FollowSymLinks

    Then if you have an 500 error comment lines to detect which words (sections) are forbidden. You'll get an error 500 until you remove every forbidden instruction. When you'll know the allowed sections you'll have to check the documentation for the complete list of allowed instructions.

    If you do not have any error you have AllowOverride None or All. Then alter the Deny/Allow to:

    Deny From All

    If you have the 403 result it's a AllowOverride All.