|
From: SourceForge.net <no...@so...> - 2007-11-27 13:32:24
|
Feature Requests item #1839070, was opened at 2007-11-27 00:52 Message generated for change (Comment added) made by ornstedt You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=1839070&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 3 Private: No Submitted By: Christian Boltz (christian_boltz) Assigned to: Nobody/Anonymous (nobody) Summary: rename templates to *.php and other template enhancements Initial Comment: Template files should be renamed to *.php to avoid that they are downloadable from any postfixadmin installation. Initially suggested by Jan Örnstedt (ornstedt) in http://sourceforge.net/tracker/index.php?func=detail&aid=1838327&group_id=191583&atid=937964 Note: When we do this, we also have to add a check for a constant (not: variable) and exit if it is not set. Something like "define postfixadmin=1" in common.php. Reason: Otherwise attackers could execute the templates and maybe do unexpected things with them. Note 2: Ideally, all template code should be wrapped into functions. This allows better control of global variable usage. ---------------------------------------------------------------------- Comment By: Jan Örnstedt (ornstedt) Date: 2007-11-27 14:32 Message: Logged In: YES user_id=498787 Originator: NO Borrowed from another project... /** * security check to prevent hackers from directly accessing this file */ if (strstr($_SERVER["SCRIPT_NAME"],"sendmail.php")) { print "Why do you want to do that?"; exit; } And a .htaccess file order allow,deny deny from all Cheers Jan ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=1839070&group_id=191583 |
