[Phpmyadmin-devel] restricting or removing /setup
Marc Delisle
marc at infomarc.info
Mon Aug 1 18:19:25 CEST 2011
Piotr Przybylski a écrit :
> 2011/8/1 Michal Čihař <michal at cihar.com>:
>> Hi
>>
>> Dne Sat, 16 Jul 2011 08:17:25 -0400
>> Marc Delisle <marc at infomarc.info> napsal(a):
>>
>>> Yes but in these applications, their installation program does things like
>>> - letting you choose an admin password
>>> - entering database credentials
>>> - creating initial database
>>> - creating the effective configuration file
>>>
>>> This is why they ask (or sometimes enforce) to remove the setup directory.
>>>
>>> I don't see the same need for phpMyAdmin because our setup code never
>>> writes to the effective configuration file, only to a staging one.
>> Yes, this is true. However you generally don't need setup after
>> initial installation, so removing it also won't hurt. And publicly
>> exposing less (potentially vulnerable) code is always good idea :-).
>
> How about locking it completely when there is no writable "config"
> directory and a warning in main.php when writable "config" directory
> is detected?
>
I don't think it's a good idea because /setup can be used to download a
config file when it's complete.
--
Marc Delisle
http://infomarc.info
More information about the Developers
mailing list