Hi
Dne Fri, 15 Jul 2011 10:50:35 -0400 Isaac Bennetch bennetch@gmail.com napsal(a):
On Jul 15, 2011, at 9:35 AM, Marc Delisle marc@infomarc.info wrote:
Hi,
we got a suggestion from a user about either restricting access to /setup or telling the installer to remove this directory after initial setup.
Let's discuss this...
If I remember correctly, the reason this wasn't done in the first place is that there's no vulnerability to leaving it exposed. The user moves the generated config.inc.php, and a malicious user can't write a new one that would be used. Additionally, users who wish to reconfigure later might want to run the setup; if it's removed they'll have to (presumably) reinstall the entire program.
If there were a good reason to remove it, then I'd certainly support the idea, but I don't see a compelling reason at the moment.
I've seen this in various web applications - they force you to remove setup once installation is done.
I don't think we should make it that hard requirement, however suggesting to remove it after setup won't hurt.
Also option would be to limit access to it for example only to authenticated MySQL users, what would limit the audience quite a lot.