[Phpmyadmin-devel] about strConfigDirectoryWarning

Michal Čihař michal at cihar.com
Wed Mar 25 14:10:08 CET 2009


Dne Wed, 25 Mar 2009 07:46:34 -0400
Marc Delisle <Marc.Delisle at cegepsherbrooke.qc.ca> napsal(a):

> I understand the idea behind this new message
> $strConfigDirectoryWarning = 'Directory [code]config[/code], which is 
> used by the setup script, still exists in your phpMyAdmin directory. You 
> should remove it once phpMyAdmin has been configured.';  //to translate
> but what I find unfortunate is that, by adding this warning, we will 
> discourage admins to use the web-based interface for ongoing 
> configuration tasks which can be more frequent than just the initial 
> installation.

They just need to make it temporarily available during configuration, it
should not be there during normal operations.

> Maybe verify whether the directory is writable and if so, produce a 
> warning? This way the admin would just have to change permission.

Even having the directory there can cause problems - it contains
generated config file, which setup script can read and display. This
way anonymous user can read anything what is in configuration (eg.
control user credentials).

	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20090325/8b04c4cd/attachment.sig>

More information about the Developers mailing list