[development] let's cleanup /misc

Dries Buytaert dries at buytaert.net
Thu Jan 5 18:34:18 UTC 2006


>> 1. Improve the security of a Drupal install by keeping all files
>> private, except for an index.php, no module or include files  
>> should be
>> accessible from a web browser
>
> How would moving the files make them anymore protected than the  
> current
> htaccess method? It would also break module compartmentalization by
> requiring module specific css to be moved out side of a modules  
> folder.
> I don't even care if users can view the files as long as they can't
> modify them. after all they can download them from drupal.org and  
> search
> for vulnerabilities all they want.

Four (uncommon) use cases:

1. If you screw up your Apache configuration, PHP files can stop  
being interpreted.  People will be able to download them as text  
files and get hold of your MySQL information in settings.php.  It is  
not likely to happen, but it happened to me on my local development  
machine.  If you upgrade Apache on Gentoo Linux, and you choose not  
to merge the new configuration file with the existing configuration  
file, mod_php will be disabled.

2. Some editors save copies of the files you edit.  Some crappy  
editors add ~ or .log to the end of your file, so settings.php  
becomes settings.php~ or settings.php.log.  Again, downloadable.

3. There are webservers that don't support .htaccess files.  Apache  
is not the fastest webserver in the world.  Sites like wordpress.com  
(Wordpress hosting) runs on LightSpeed (http://litespeedtech.com/).   
LightSpeed happens to have .htaccess support, but some of the  
alternatives have not.

4. PHP has 'highlight files'; an option that allows you to view a PHP  
file's source code simply by substituting .php by .phps.  If someone  
adds "AddType application/x-httpd-php-source .phps" to the Apache  
configuration file, you're toast.

--
Dries Buytaert  ::  http://www.buytaert.net/



More information about the development mailing list