[PHPiCalendar-DEV] security suggestions for publish.php

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I think we need to make some changes to the publish system.

Why:

If you use the current system with external authentication, the ics files 
are protected by the same mechanism as the publish system.  This isn't
always good -- what if I want to allow publish but not allow direct access
to the ICS files?

Likewise, if you are using the PHP authentication then the files aren't
protected.  (minus using a handler for .ics file access that fails)

In short, I think that the following changes are reasonable and flexible
enough for all situations:

Put publish.php in publish/ directory.
	-- an .htaccess file in that directory can control access

Leave calenders in calendars/ directory.
	-- an .htaccess file in that directory can control access

I'd also like to introduce a configuration variable that would control the
HTTP authentication realm, instead of having people edit publish.php to
control this.  Opinions?

Lastly, I'd like to write the log file to a location which is *NOT*
accessible.  Other files in the distribution fit this description.  How 
about a new directory with a .htaccess file "deny from all" in it?

-- 
Jo Rhett
senior geek
SVcolo : Silicon Valley Colocation