[development] let's cleanup /misc
Dries Buytaert
dries at buytaert.net
Thu Jan 5 18:34:18 UTC 2006
>> 1. Improve the security of a Drupal install by keeping all files
>> private, except for an index.php, no module or include files
>> should be
>> accessible from a web browser
>
> How would moving the files make them anymore protected than the
> current
> htaccess method? It would also break module compartmentalization by
> requiring module specific css to be moved out side of a modules
> folder.
> I don't even care if users can view the files as long as they can't
> modify them. after all they can download them from drupal.org and
> search
> for vulnerabilities all they want.
Four (uncommon) use cases:
1. If you screw up your Apache configuration, PHP files can stop
being interpreted. People will be able to download them as text
files and get hold of your MySQL information in settings.php. It is
not likely to happen, but it happened to me on my local development
machine. If you upgrade Apache on Gentoo Linux, and you choose not
to merge the new configuration file with the existing configuration
file, mod_php will be disabled.
2. Some editors save copies of the files you edit. Some crappy
editors add ~ or .log to the end of your file, so settings.php
becomes settings.php~ or settings.php.log. Again, downloadable.
3. There are webservers that don't support .htaccess files. Apache
is not the fastest webserver in the world. Sites like wordpress.com
(Wordpress hosting) runs on LightSpeed (http://litespeedtech.com/).
LightSpeed happens to have .htaccess support, but some of the
alternatives have not.
4. PHP has 'highlight files'; an option that allows you to view a PHP
file's source code simply by substituting .php by .phps. If someone
adds "AddType application/x-httpd-php-source .phps" to the Apache
configuration file, you're toast.
--
Dries Buytaert :: http://www.buytaert.net/
More information about the development
mailing list