From: Erin S. <ebu...@sq...> - 2003-04-29 18:44:04
|
Erin Schnabel said: > Kurt Yoder said: >> >> Even if one follows these recommendations, this issue remains. If I >> can attempt to summarize the issue, it is: the "best practice" from >> a security standpoint would be to separate out everything that is >> not required to be accessible by a browser. So if there are no plans >> for any of the current developers to do this, would any of you/them >> be open to me playing around with it (that is, would you accept >> changes back to the core structure to resolve this issue)? > > PHP can open files that are "included" or "required" that are not servable > by apache. > > If you're that paranoid about it, the src directory is what contains the > main "endpoint" scripts. If you want to restrict which files get executed, > the src directory already contains just about everything that the > webserver needs access to for serving purposes, so set up the src > directory only, and disallow everything else. > > The only exceptions are options pages for plugins, and that depends on > which plugins you have installed, and whether or not they provide their > own pages for interaction/configuration/etc. Plugin directories are > probably best handled via .htaccess files, if they are available. An addendum/point of clarification: All the files in the SM tree need to be readable/reachable by the webserver processes. They can just be unservable per apache/webserver directives. i.e. Apache needs to be able to read all .php or .inc files in order to process the full PHP script and construct the response, but files outside of the src tree (or certain endpoint scripts shipped with plugins) do not need to be directly requestable by the client. Erin (ebullient) -- 'Waste of a good apple.' - Samwise Gamgee ICQ: 38670353 |