I have set the privacy quite high on my site, with only dead people being shown to the public, however a person who knows the default path to the GEDCOM files can download the whole file by simply typing in the URL.
Is there a (easy) way that this can be stopped?
For now, I have changed the default 'Genealogy from [YOURFILE.GED]' to not include the GEDCOM file name, but this won't deter the more determined hack.
Below is a copy of what you need from the security section of the readmefile at: http://cvs.sourceforge.net/viewcvs.py/\*checkout*/phpgedview/phpGedView/readme.txt?rev=1.104
If you wish to protect your GEDCOM file itself from being downloaded over the internet then you
should place it outside the root directory of your webserver or virtual host and set the value of
the $GEDCOM variable to point to that location. For example, if your home directory is something
like "/home/username" and if the root directory for your website is "/home/username/public_html"
and you have installed phpGedView in the "public_html/phpGedView" directory then you would place
your GEDCOM file in your home directory at the same level as your "public_html" directory. You
would then set the file path to "/home/username/gedcom.ged" by editing the gedcom configuration.
You can also manually set the location by changing the "path" line in index/gedcoms.php:
$gedarray["path"] = "../../gedcom.ged";
or
$gedarray["path"] = "/home/username/gedcom.ged";
Since your GEDCOM file resides in a directory outside of your webservers root directory, your
webserver will not be able to fullfill requests to download it. But, phpGedView will still be able
to read and display its contents.
In the end it is YOUR responsibility to guarentee that there has been no violation of an
individual's privacy and YOU could be held liable should private information be made public on the
websites that you administer.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have set the privacy quite high on my site, with only dead people being shown to the public, however a person who knows the default path to the GEDCOM files can download the whole file by simply typing in the URL.
Is there a (easy) way that this can be stopped?
For now, I have changed the default 'Genealogy from [YOURFILE.GED]' to not include the GEDCOM file name, but this won't deter the more determined hack.
Thanks in advance,
Paul.
http://www.devalmency.net
Below is a copy of what you need from the security section of the readmefile at:
http://cvs.sourceforge.net/viewcvs.py/\*checkout*/phpgedview/phpGedView/readme.txt?rev=1.104
If you wish to protect your GEDCOM file itself from being downloaded over the internet then you
should place it outside the root directory of your webserver or virtual host and set the value of
the $GEDCOM variable to point to that location. For example, if your home directory is something
like "/home/username" and if the root directory for your website is "/home/username/public_html"
and you have installed phpGedView in the "public_html/phpGedView" directory then you would place
your GEDCOM file in your home directory at the same level as your "public_html" directory. You
would then set the file path to "/home/username/gedcom.ged" by editing the gedcom configuration.
You can also manually set the location by changing the "path" line in index/gedcoms.php:
$gedarray["path"] = "../../gedcom.ged";
or
$gedarray["path"] = "/home/username/gedcom.ged";
Since your GEDCOM file resides in a directory outside of your webservers root directory, your
webserver will not be able to fullfill requests to download it. But, phpGedView will still be able
to read and display its contents.
In the end it is YOUR responsibility to guarentee that there has been no violation of an
individual's privacy and YOU could be held liable should private information be made public on the
websites that you administer.