Darrel O'Pry wrote:
And just in case is all it is... I don't think it should all be moved around. I was just trying to make a point that if people insist on moving things out of the public drupal tree, that they limit themselves to settings.php. settings.php is the only file in drupal that has the potential to be a security problem if its contents are exposed...
The downside of that rarely occurring misconfiguration for say an e-commerce site, is a large liability.
Then again its easy enough for the determined to relocate their settings.php. So maybe in light of popular opinion we just need to add the site/all and be done with it. :)
Darrel, any module or theme source file could be a security problem if exposed. You can directly inspect the source code, identify versions, or in case of custom code, examine weaknesses. Any identified publicly available module can possibly contain weaknesses. Goba