GetSimple Support Forum

GetSimple Support Forum > GetSimple > Developer Discussions > htaccess changes in core
Full Version: htaccess changes in core
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

shawn_a

2013-01-14, 02:15:16
I am looking at our htaccess situation.

I am wondering why we have htaccess files in every data folder.
The way I see it we need 4
Aside from the root
  • backups/ deny
  • data/ deny
  • data/uploads alow
  • data/thumbs allow

It appears we currently stick redundant denys in all other data/subfolders when they are not necessary.

backups/deny
backups/other/deny
data/other deny
data/other/logs deny
data/pages deny
etc..

Thoughts?

Anyone know why this might be done ?

Carlos

2013-01-14, 05:03:27
I suppose they were all put there just in case or something.
Looks like they've always been there, at least since GS 1.0

shawn_a

2013-01-14, 07:54:54
Seems like it would slow apache down, since it has to parse each one in a path.

yojoe

2013-01-14, 10:36:14
There were plenty situations when temp.htaccess hasn't been renamed during installation.
If you place all deny rules within root .htaccess file, and this situation happens again, houston might get a security problem with a free access to user.xml Wink
(this of course is still possible on non apache webservers)
Uploads and thumbs dirs might be moved to root, and deny rule might get into root htaccess (look here: http://get-simple.info/forums/showthread...3#pid31223) as it shouldn't open a security hole (as long as script file within upload/thumb dir wouldn't be executed by GS)

ps. many plugins also have deny rules in own htaccess files
Don't you think that GS should disallow accessing all mentioned dirs, and plugin files on his own, instead of basing on apache's deny mechanism ?

shawn_a

2013-01-14, 12:39:35
I don't see how your post has anything to do with what I am asking.

yojoe

2013-01-14, 18:13:05
ohh I thought you were talking about minifying overall amount of htaccess files with deny rules, not only in data, and backups directory.

eatons

2013-01-14, 23:33:08
I may be wrong, … but wouldn't an empty index file produce the same security and create less load on the server?

shawn_a

2013-01-15, 00:13:47
no that just prevents directory listing
which should be default on most servers or already set somewhere as
Options -Indexes

eatons

2013-01-15, 02:24:28
That would mean that the "redundant denys" are not redundant at all, but the best way of locking out any method of stealing or hacking content by guessing the correct path.

shawn_a

2013-01-15, 02:45:22
huh?

eatons

2013-01-15, 23:18:33
That Was a dumb statement! my apologies, ...of course you're right and they are redundant!
GetSimple Support Forum > GetSimple > Developer Discussions > htaccess changes in core