[Phpmyadmin-devel] restricting or removing /setup

Piotr Przybylski piotr.prz at gmail.com
Mon Aug 1 17:47:56 CEST 2011

2011/8/1 Michal Čihař <michal at cihar.com>:
> Hi
> Dne Sat, 16 Jul 2011 08:17:25 -0400
> Marc Delisle <marc at infomarc.info> napsal(a):
>> Yes but in these applications, their installation program does things like
>> - letting you choose an admin password
>> - entering database credentials
>> - creating initial database
>> - creating the effective configuration file
>> This is why they ask (or sometimes enforce) to remove the setup directory.
>> I don't see the same need for phpMyAdmin because our setup code never
>> writes to the effective configuration file, only to a staging one.
> Yes, this is true. However you generally don't need setup after
> initial installation, so removing it also won't hurt. And publicly
> exposing less (potentially vulnerable) code is always good idea :-).

How about locking it completely when there is no writable "config"
directory and a warning in main.php when writable "config" directory
is detected?

Piotr Przybylski

More information about the Developers mailing list