Block access to all php and phar files that are uploaded into the media folder

.docker/frankenphp/Caddyfile

@@ -51,5 +51,9 @@
 	# Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
 	header ?Permissions-Policy "browsing-topics=()"
 
+	# Prevent PHP execution in the media upload directory
+	@php_in_media path_regexp (?i)^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$
+	respond @php_in_media 403
+
 	php_server
 }

.docker/symfony.conf

@@ -15,6 +15,14 @@
             AllowOverride All
         </Directory>
 
+        # Prevent PHP execution in the media upload directory (server-level, not .htaccess,
+        # because public/media is a Docker volume and .htaccess there may not be present)
+        <Directory /var/www/html/public/media>
+            <FilesMatch "(?i)\.(php[3-8]?|phar|phtml|pht|phps)$">
+                Require all denied
+            </FilesMatch>
+        </Directory>
+
         # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
         # error, crit, alert, emerg.
         # It is also possible to configure the loglevel for particular

docs/installation/nginx.md

@@ -52,6 +52,11 @@ server {
     location ~ \.php$ {
         return 404;
     }
+
+    # Prevent PHP execution in the media upload directory
+    location ~* ^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$ {
+        return 403;
+    }
     
     # Set Content-Security-Policy for svg files, to block embedded javascript in there
     location ~* \.svg$ {

public/media/.gitignore

@@ -1,3 +1,4 @@
 # Ignore everything except this .gitignore
 *
-!.gitignore
+!.gitignore
+!.htaccess

public/media/.htaccess

@@ -0,0 +1,10 @@
+# Deny access to PHP and PHP-like files to prevent remote code execution
+<FilesMatch "(?i)\.(php[3-8]?|phar|phtml|pht|phps)$">
+    <IfModule mod_authz_core.c>
+        Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        Order deny,allow
+        Deny from all
+    </IfModule>
+</FilesMatch>