I have a substantial number of rewrite rules in place for a variety of reasons such as:
disallow indexes, set custom error pages, force non-www, https, strip trailing slash, redirect index.html or.php to root, pretty URLs (hides file extensions & queries), strip anything after ".php/" (currently disabled)
The last block labeled "STRIP ANYTHING AFTER .php/" allows for nonsense URLs (URLs with Additional Path Info) like example.com/index.php/somefolder/anotherfolder/file/query... to redirect to a default page rather than rendering broken pages or 500 errors. This is ok but what I'm hoping for is for such nonsense URLs to go 404.
MrWhite has educated me on the proper use of AcceptPathInfo Off and I've been reading up on the Apache AcceptPathInfo Directive.
I've added the AcceptPathInfo Off near the top of the array. I've commented out the last block "strip anything after .php/" which worked to send URLs with "Additional Path Info" to a working default page.
URLs with Additional Path Info are not going 404. They're rendering broken pages like they were before I added the last block. The pages are broken due to errors such as trying to load css from locations that begin with the full, bad URL including all of the "Additional Path Info" such as example.com/index.php/somedirectory/anotherdirectory/more/css/reset.css when the css files are actually located at example.com/css/reset.css
This is basically where I started before I set up the last block. It seems like the AcceptPathInfo Off directive is just not working. I've tried disabling some of the other rules, no luck.
This is the full array of rules currently in place
AcceptPathInfo Off
Options -Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
## SET CUSTOM ERROR PAGES ##
ErrorDocument 400 /error/error_400.php
ErrorDocument 401 /error/error_401.php
ErrorDocument 403 /error/error_403.php
ErrorDocument 404 /error/error_404.php
ErrorDocument 500 /error/error_500.php
## FORCE HTTPS & NON-WWW ##
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L,NE]
## STRIP TRAILING SLASH ##
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [R=301,L]
## REDIRECT INDEX TO ROOT ##
RewriteRule ^index\.php$ / [R=301,L]
RewriteRule ^index\.htm$ / [R=301,L]
## PRETTY URLS FOR SPECIFIC, DYNAMIC FILES ##
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^items/([a-zA-Z0-9_-]+)$ item.php?item=$1 [L]
RewriteRule ^items/([a-zA-Z0-9_-]+)/$ item.php?item=$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^free_items/([a-zA-Z0-9_-]+)$ free_item.php?item=$1 [L]
RewriteRule ^free_items/([a-zA-Z0-9_-]+)/$ free_item.php?item=$1 [L]
## PRETTY URL FOR ANY STATIC FILE ##
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([a-zA-Z0-9_-]+)$ $1.php [L,QSA]
## STRIP ANYTHING AFTER .php/ ##
## CREATES CHAIN OF 3 REDIRECTS 302-301-301 NOT GREAT ##
## RewriteCond %{THE_REQUEST} /([^.]+)\.php/? [NC]
## RewriteRule ^ /%1/ [NC,R,L]
## RewriteCond %{REQUEST_FILENAME} !-f
## RewriteCond %{REQUEST_FILENAME} !-d
## RewriteRule ^([^/]+)/?$ /$1.php [L,NC]
With this arrangement the bad URLs just redirect to default pages. The custom error pages are accessible if I hit the URL directly but it's virtually impossible to invoke a 404 not matter what nonsense URL you enter.
I tried modifying that last block slightly to send such nonsense URLs to 404 and it worked but due to some interaction with other rules the custom 404 page itself comes up 404. If I hard-code the full url of the error page (https://example.com/error/error_404.php) I get an endless 302 loop.
## STRIP ANYTHING AFTER .php/ SEND TO 404 ##
## SENDS BAD URLS TO 404 BUT CUSTOM 404 PAGE IS ALSO 404 ##
## RewriteCond %{THE_REQUEST} /([^.]+)\.php/? [NC]
## RewriteRule ^ /%1/ [NC,R=404,L]
## RewriteCond %{REQUEST_FILENAME} !-f
## RewriteCond %{REQUEST_FILENAME} !-d
## RewriteRule ^([^/]+)/?$ ^/$1.php [L,NC]