[Phpmyadmin-devel] restricting or removing /setup
Piotr Przybylski
piotr.prz at gmail.com
Mon Aug 1 17:47:56 CEST 2011
2011/8/1 Michal Čihař <michal at cihar.com>:
> Hi
>
> Dne Sat, 16 Jul 2011 08:17:25 -0400
> Marc Delisle <marc at infomarc.info> napsal(a):
>
>> Yes but in these applications, their installation program does things like
>> - letting you choose an admin password
>> - entering database credentials
>> - creating initial database
>> - creating the effective configuration file
>>
>> This is why they ask (or sometimes enforce) to remove the setup directory.
>>
>> I don't see the same need for phpMyAdmin because our setup code never
>> writes to the effective configuration file, only to a staging one.
>
> Yes, this is true. However you generally don't need setup after
> initial installation, so removing it also won't hurt. And publicly
> exposing less (potentially vulnerable) code is always good idea :-).
How about locking it completely when there is no writable "config"
directory and a warning in main.php when writable "config" directory
is detected?
--
Regards,
Piotr Przybylski
More information about the Developers
mailing list