Hi all
while speaking with friend about some recent security issues, we came to quite obvious idea, that access to /libraries folder should be disabled (by providing .htaccess file and suggesting same configuration in documentation) and all stuff that needs direct access should go out of this folder. Stuff that I quickly found that needs to be moved:
- *.js - create /js folder for it? - libraries/transformations/overview.php - should be IMHO in root anyway
Is there something else I missed? Any comments on implementing this in 2.7.0 branch?
Michal Čihař a écrit :
Hi all
while speaking with friend about some recent security issues, we came to quite obvious idea, that access to /libraries folder should be disabled (by providing .htaccess file and suggesting same configuration in documentation) and all stuff that needs direct access should go out of this folder. Stuff that I quickly found that needs to be moved:
- *.js - create /js folder for it?
- libraries/transformations/overview.php - should be IMHO in root anyway
Is there something else I missed? Any comments on implementing this in 2.7.0 branch?
As IMO this is an improvement for security in general (path disclosure) and not a direct problem we have with 2.7.0, I would prefer to let 2.7.0 as is and start moving stuff in HEAD.
Marc
Hi
On Mon 21. 11. 2005 00:52, Marc Delisle wrote:
As IMO this is an improvement for security in general (path disclosure) and not a direct problem we have with 2.7.0, I would prefer to let 2.7.0 as is and start moving stuff in HEAD.
I'd like to change this in 2.7.0 as people will expect more changes here and will notice such change more easily. However I know it's quite late...
Hi all
On Mon 21. 11. 2005 00:52, Marc Delisle wrote:
As IMO this is an improvement for security in general (path disclosure) and not a direct problem we have with 2.7.0, I would prefer to let 2.7.0 as is and start moving stuff in HEAD.
Okay, implemented in HEAD.
In case that your test servers do not follow .htaccess files, please configure them to deny access to libraries folder, so that we can catch any possible errors with such setup.
-
Marc Delisle -
Michal Čihař