+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: Developer Discussions (http://get-simple.info/forums/forumdisplay.php?fid=8)
+--- Thread: htaccess changes in core (/showthread.php?tid=4137)
htaccess changes in core - shawn_a - 2013-01-14
I am looking at our htaccess situation.
I am wondering why we have htaccess files in every data folder.
The way I see it we need 4
Aside from the root
- backups/ deny
- data/ deny
- data/uploads alow
- data/thumbs allow
It appears we currently stick redundant denys in all other data/subfolders when they are not necessary.
backups/deny
backups/other/deny
data/other deny
data/other/logs deny
data/pages deny
etc..
Thoughts?
Anyone know why this might be done ?
RE: htaccess changes in core - Carlos - 2013-01-14
I suppose they were all put there just in case or something.
Looks like they've always been there, at least since GS 1.0
RE: htaccess changes in core - shawn_a - 2013-01-14
Seems like it would slow apache down, since it has to parse each one in a path.
RE: htaccess changes in core - yojoe - 2013-01-14
There were plenty situations when temp.htaccess hasn't been renamed during installation.
If you place all deny rules within root .htaccess file, and this situation happens again, houston might get a security problem with a free access to user.xml
(this of course is still possible on non apache webservers)
Uploads and thumbs dirs might be moved to root, and deny rule might get into root htaccess (look here: http://get-simple.info/forums/showthread.php?tid=4027&pid=31223#pid31223) as it shouldn't open a security hole (as long as script file within upload/thumb dir wouldn't be executed by GS)
ps. many plugins also have deny rules in own htaccess files
Don't you think that GS should disallow accessing all mentioned dirs, and plugin files on his own, instead of basing on apache's deny mechanism ?
RE: htaccess changes in core - shawn_a - 2013-01-14
I don't see how your post has anything to do with what I am asking.
RE: htaccess changes in core - yojoe - 2013-01-14
ohh I thought you were talking about minifying overall amount of htaccess files with deny rules, not only in data, and backups directory.
RE: htaccess changes in core - eatons - 2013-01-14
I may be wrong, … but wouldn't an empty index file produce the same security and create less load on the server?
RE: htaccess changes in core - shawn_a - 2013-01-15
no that just prevents directory listing
which should be default on most servers or already set somewhere as
Options -Indexes
RE: htaccess changes in core - eatons - 2013-01-15
That would mean that the "redundant denys" are not redundant at all, but the best way of locking out any method of stealing or hacking content by guessing the correct path.
RE: htaccess changes in core - shawn_a - 2013-01-15
huh?
RE: htaccess changes in core - eatons - 2013-01-15
That Was a dumb statement! my apologies, ...of course you're right and they are redundant!