Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Create .htaccess files at runtime #1337

Closed
robocoder opened this Issue · 5 comments

1 participant

@robocoder
Collaborator

In [1743], .htaccess files were added to core, lang, libs, plugins, and themes to guard against directory listing and direct access to .php and .tpl files. This ascribes to the "secure by default" principle.

It addresses the potential 'information disclosure' vulnerability (i.e., script path or include path) on a misconfigured web server, and avoids the need to add "defined('PIWIK_INCLUDE_PATH') or die;" to .php files (which we started doing in [1335], but not yet for files that contain subclasses).

Unfortunately, some are experiencing problems:

  • wrong permissions (when files are uploaded to server)
  • "Loading data... oops...an error has occured during the query, please try again." (unless the .htaccess files are removed)
@robocoder
Collaborator

(In [2147]) fixes #1337 - remove static .htaccess files and defined('PIWIK_INCLUDE_PATH') or die "guard"; we'll enhance PhpSecInfo to assist the user in configuring their environment more securely

@robocoder
Collaborator

(In [2148]) refs #1337

@robocoder
Collaborator

(In [2149]) refs #1337 - create .htaccess files at runtime (Installation); tested with Order deny,allow (and allow,deny), AllowOverride All (vs none)

@robocoder
Collaborator

(In [2223]) refs #1337 - allow direct access to .test.php files

@robocoder
Collaborator

(In [2315]) refs #1337 - only create .htaccess files at Installation if Apache detected. Jetty's HTAccessHandler doesn't fully support Apache .htaccess files.

@robocoder robocoder added this to the Piwik 0.6.1 milestone
@robocoder robocoder self-assigned this
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.