-
Notifications
You must be signed in to change notification settings - Fork 819
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2010-07-15] IIS allows access to various PHP scripts that shouldn't be allowed #1384
Comments
In framework all .php files need to be whitelisted. See https://github.com/silverstripe/silverstripe-framework/blob/3.1/web.config We should add this to cms as well. |
is this done? |
No, and this is very easily done. Triaging and assigning to v3. |
Now that all core modules are placed in vendor, and vendor access is denied by default, it's only a problem for modules that haven't made the switch to |
I would assume that the fix or this (slated for 4.1) is to move the webroot to a subfolder. As such I think that this bug as covered by #7419 and we can close this. |
created by: @halkyon (sharvey)
assigned to: @halkyon (sharvey)
created at: 2010-07-15
original ticket: http://open.silverstripe.org/ticket/5835
In cms, sapphire, there's an .htaccess file which blocks access to various PHP scripts for security reasons.
IIS is a popular web server, so having a web.config that does the equivalent of this out of the box might be a good idea too.
e.g. http://localhost/ss24/cms/_config.php should not be allowed on IIS.
It's unclear whether IIS supports blocking requests by extension, but there should be some sort of request filtering that could achieve the same effect as the current .htaccess files in the cms and sapphire directories.
The text was updated successfully, but these errors were encountered: