Re: [Mantisbt-dev] Mantis 1.1.0a1 Released

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Paul,

>> php /path/to/mantis/core/send_emails.php

> ^ I dont like that

> imo, scripts / core / "wwwroot" should all be seperate. i.e. we shouldn't
> mix the core directory with scripts.

The reason I put it into core is to avoid putting it into mantisbt/
which is accessible by the webserver.  The added script is executed
from the cronjob using php-cgi rather than the webserver.  I would be
happy to accept recommendations with regards to the proposed
flexibility in the directory structure and how these scripts will
locate each other.

> A 'best practice' install would then be to move core outside of wwwroot,
> scripts completely outside web accessible stuff, and leave the mantis php
> pages as the only accessible files.

Wouldn't the scripts still be accessible to through the cronjob?

> As we've had one exploit from /core in the past, and i'd expect to see a
> number of scripts added to mantis as we move forwards, is it worth
> seperating stuff now ?

We should make sure that Mantis support best practices in
installations of web applications, but we should make sure we don't
over complicate the installation process or the portability of Mantis
in terms of how easy it is to host on different web servers and with
different levels of control on the server.  I would suggest you and
Ryan start a Wiki article about the best way to securely install
Mantis now and then figure out if we need to apply some changes to
Mantis to improve flexibility / security.

Regards,
Victor.