Piotr Przybylski a écrit :
2011/8/1 Michal Čihař michal@cihar.com:
Hi
Dne Sat, 16 Jul 2011 08:17:25 -0400 Marc Delisle marc@infomarc.info napsal(a):
Yes but in these applications, their installation program does things like
- letting you choose an admin password
- entering database credentials
- creating initial database
- creating the effective configuration file
This is why they ask (or sometimes enforce) to remove the setup directory.
I don't see the same need for phpMyAdmin because our setup code never writes to the effective configuration file, only to a staging one.
Yes, this is true. However you generally don't need setup after initial installation, so removing it also won't hurt. And publicly exposing less (potentially vulnerable) code is always good idea :-).
How about locking it completely when there is no writable "config" directory and a warning in main.php when writable "config" directory is detected?
I don't think it's a good idea because /setup can be used to download a config file when it's complete.