[Phpmyadmin-devel] about strConfigDirectoryWarning
Michal Čihař
michal at cihar.com
Wed Mar 25 14:10:08 CET 2009
Hi
Dne Wed, 25 Mar 2009 07:46:34 -0400
Marc Delisle <Marc.Delisle at cegepsherbrooke.qc.ca> napsal(a):
> I understand the idea behind this new message
>
> $strConfigDirectoryWarning = 'Directory [code]config[/code], which is
> used by the setup script, still exists in your phpMyAdmin directory. You
> should remove it once phpMyAdmin has been configured.'; //to translate
>
> but what I find unfortunate is that, by adding this warning, we will
> discourage admins to use the web-based interface for ongoing
> configuration tasks which can be more frequent than just the initial
> installation.
They just need to make it temporarily available during configuration, it
should not be there during normal operations.
> Maybe verify whether the directory is writable and if so, produce a
> warning? This way the admin would just have to change permission.
Even having the directory there can cause problems - it contains
generated config file, which setup script can read and display. This
way anonymous user can read anything what is in configuration (eg.
control user credentials).
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20090325/8b04c4cd/attachment.sig>
More information about the Developers
mailing list