Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
htaccess changes in core
#1
I am looking at our htaccess situation.

I am wondering why we have htaccess files in every data folder.
The way I see it we need 4
Aside from the root
  • backups/ deny
  • data/ deny
  • data/uploads alow
  • data/thumbs allow

It appears we currently stick redundant denys in all other data/subfolders when they are not necessary.

backups/deny
backups/other/deny
data/other deny
data/other/logs deny
data/pages deny
etc..

Thoughts?

Anyone know why this might be done ?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#2
I suppose they were all put there just in case or something.
Looks like they've always been there, at least since GS 1.0
Reply
#3
Seems like it would slow apache down, since it has to parse each one in a path.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#4
There were plenty situations when temp.htaccess hasn't been renamed during installation.
If you place all deny rules within root .htaccess file, and this situation happens again, houston might get a security problem with a free access to user.xml Wink
(this of course is still possible on non apache webservers)
Uploads and thumbs dirs might be moved to root, and deny rule might get into root htaccess (look here: http://get-simple.info/forums/showthread...3#pid31223) as it shouldn't open a security hole (as long as script file within upload/thumb dir wouldn't be executed by GS)

ps. many plugins also have deny rules in own htaccess files
Don't you think that GS should disallow accessing all mentioned dirs, and plugin files on his own, instead of basing on apache's deny mechanism ?
Addons: blue business theme, Online Visitors, Notepad
Reply
#5
I don't see how your post has anything to do with what I am asking.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#6
ohh I thought you were talking about minifying overall amount of htaccess files with deny rules, not only in data, and backups directory.
Addons: blue business theme, Online Visitors, Notepad
Reply
#7
I may be wrong, … but wouldn't an empty index file produce the same security and create less load on the server?
Reply
#8
no that just prevents directory listing
which should be default on most servers or already set somewhere as
Options -Indexes
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#9
That would mean that the "redundant denys" are not redundant at all, but the best way of locking out any method of stealing or hacking content by guessing the correct path.
Reply
#10
huh?
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Reply
#11
That Was a dumb statement! my apologies, ...of course you're right and they are redundant!
Reply




Users browsing this thread: 1 Guest(s)