.htaccess should block everything by default and only allow through requests to "the right things"

[obra]

should I be able to request arbitrary .php files under Idno*, external or templates?

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[benwerd]

That's a reasonable question. I wanted to easily provide access to existing files, and while no harm can theoretically come from trying to load an idno PHP class or template, no good can really come from it either. It may be worth hiding .php files and some other risky extensions.

Thank you so much for all this feedback!

[obra]

On Wed, Jul 03, 2013 at 09:48:21PM -0700, Ben Werdmuller wrote:

That's a reasonable question. I wanted to easily provide access to existing files, and while no harm can theoretically come from trying to load an idno PHP class or template, no good can really come from it either. It may be worth hiding .php files and some other risky extensions.

nod Coming from other programming cultures, I've always tried hard to not mix assets and executed/intepreted content in the same directory structure. (In addition to the secruity benefits, it makes it a lot easier to do things like push your static assets through a CDN)

Thank you so much for all this feedback!

---

Reply to this email directly or view it on GitHub:
#10 (comment)

[benwerd]

I think that implies another ticket, which I'll open momentarily.

[obra]

On Thu, Jul 04, 2013 at 08:40:53AM -0700, Ben Werdmuller wrote:

I think that implies another ticket, which I'll open momentarily.

Fair enough. Now that I'm a couple sips into my coffee, I realized that I'm conflating two issues.

[benwerd]

I don't think you are - I just think that having static assets live at a user-definable path is a really strong feature enhancement, and wanted to get it in!

[ipranjal]

this has been fixed i guess

[kylewm]

It very hasn't ;) e.g., you can hit /IdnoPlugins/Status/Pages/Edit.php on any site, and it will execute it (fortunately it just causes an error). But ideally that should 404 or 403

[kylewm]

I've always tried hard to not mix assets and executed/intepreted content in the same directory structure

So it turns out to be pretty trivial to move index.php, external/, gfx/, js/, and css/ to a folder (I called it public/) and make that the wwwroot.

The problem is that then there is no way for plugins or themes to include custom static resources -- since they all live outside of the wwwroot, and I am drawing a blank on how to manage this. Any ideas?

[kylewm]

There should probably be points awarded for fixing issues with the lowest number. 👍

[benwerd]

Sadly reopening this because the .htaccess blocked access to /warmup. Should be able to recommit soon, but pushing out an emergency new release.

[kylewm]

Might just need to substitute .* for * in <Files ~ "warmup\/*\.php">

[benwerd]

I tried that - not working at this end. It'll be something equally small though ;)

[mapkyca]

Pretty sure this is handled by the various .htaccess deny alls in the appropriate dirs, but there's likely need for similar nginx configs