From: Victor B. <vb...@gm...> - 2006-09-23 04:26:05
|
Hi Paul, >> php /path/to/mantis/core/send_emails.php > ^ I dont like that > imo, scripts / core / "wwwroot" should all be seperate. i.e. we shouldn't > mix the core directory with scripts. The reason I put it into core is to avoid putting it into mantisbt/ which is accessible by the webserver. The added script is executed from the cronjob using php-cgi rather than the webserver. I would be happy to accept recommendations with regards to the proposed flexibility in the directory structure and how these scripts will locate each other. > A 'best practice' install would then be to move core outside of wwwroot, > scripts completely outside web accessible stuff, and leave the mantis php > pages as the only accessible files. Wouldn't the scripts still be accessible to through the cronjob? > As we've had one exploit from /core in the past, and i'd expect to see a > number of scripts added to mantis as we move forwards, is it worth > seperating stuff now ? We should make sure that Mantis support best practices in installations of web applications, but we should make sure we don't over complicate the installation process or the portability of Mantis in terms of how easy it is to host on different web servers and with different levels of control on the server. I would suggest you and Ryan start a Wiki article about the best way to securely install Mantis now and then figure out if we need to apply some changes to Mantis to improve flexibility / security. Regards, Victor. |