[Phpmyadmin-devel] restricting or removing /setup

Marc Delisle marc at infomarc.info
Mon Aug 1 18:19:25 CEST 2011

Piotr Przybylski a écrit :
> 2011/8/1 Michal Čihař <michal at cihar.com>:
>> Hi
>> Dne Sat, 16 Jul 2011 08:17:25 -0400
>> Marc Delisle <marc at infomarc.info> napsal(a):
>>> Yes but in these applications, their installation program does things like
>>> - letting you choose an admin password
>>> - entering database credentials
>>> - creating initial database
>>> - creating the effective configuration file
>>> This is why they ask (or sometimes enforce) to remove the setup directory.
>>> I don't see the same need for phpMyAdmin because our setup code never
>>> writes to the effective configuration file, only to a staging one.
>> Yes, this is true. However you generally don't need setup after
>> initial installation, so removing it also won't hurt. And publicly
>> exposing less (potentially vulnerable) code is always good idea :-).
> How about locking it completely when there is no writable "config"
> directory and a warning in main.php when writable "config" directory
> is detected?
I don't think it's a good idea because /setup can be used to download a 
config file when it's complete.

Marc Delisle

More information about the Developers mailing list