Posts: 6,267
Threads: 182
Joined: Sep 2011
I am looking at our htaccess situation.
I am wondering why we have htaccess files in every data folder.
The way I see it we need 4
Aside from the root
- backups/ deny
- data/ deny
- data/uploads alow
- data/thumbs allow
It appears we currently stick redundant denys in all other data/subfolders when they are not necessary.
backups/deny
backups/other/deny
data/other deny
data/other/logs deny
data/pages deny
etc..
Thoughts?
Anyone know why this might be done ?
Posts: 3,491
Threads: 106
Joined: Mar 2010
I suppose they were all put there just in case or something.
Looks like they've always been there, at least since GS 1.0
Posts: 6,267
Threads: 182
Joined: Sep 2011
Seems like it would slow apache down, since it has to parse each one in a path.
Posts: 1,204
Threads: 30
Joined: Jun 2010
There were plenty situations when temp.htaccess hasn't been renamed during installation.
If you place all deny rules within root .htaccess file, and this situation happens again, houston might get a security problem with a free access to user.xml
(this of course is still possible on non apache webservers)
Uploads and thumbs dirs might be moved to root, and deny rule might get into root htaccess (look here: http://get-simple.info/forums/showthread.php?tid=4027&pid=31223#pid31223) as it shouldn't open a security hole (as long as script file within upload/thumb dir wouldn't be executed by GS)
ps. many plugins also have deny rules in own htaccess files
Don't you think that GS should disallow accessing all mentioned dirs, and plugin files on his own, instead of basing on apache's deny mechanism ?
Addons: blue business theme, Online Visitors, Notepad
Posts: 6,267
Threads: 182
Joined: Sep 2011
I don't see how your post has anything to do with what I am asking.
Posts: 1,204
Threads: 30
Joined: Jun 2010
ohh I thought you were talking about minifying overall amount of htaccess files with deny rules, not only in data, and backups directory.
Addons: blue business theme, Online Visitors, Notepad
Posts: 79
Threads: 2
Joined: Feb 2012
I may be wrong, … but wouldn't an empty index file produce the same security and create less load on the server?
Posts: 6,267
Threads: 182
Joined: Sep 2011
no that just prevents directory listing
which should be default on most servers or already set somewhere as
Options -Indexes
Posts: 79
Threads: 2
Joined: Feb 2012
That would mean that the "redundant denys" are not redundant at all, but the best way of locking out any method of stealing or hacking content by guessing the correct path.
Posts: 6,267
Threads: 182
Joined: Sep 2011
Posts: 79
Threads: 2
Joined: Feb 2012
That Was a dumb statement! my apologies, ...of course you're right and they are redundant!
