Login

***shawn_a*** · 2013-01-14, 02:15:16

I am looking at our htaccess situation.

I am wondering why we have htaccess files in every data folder.
The way I see it we need 4
Aside from the root

backups/ deny
data/ deny
data/uploads alow
data/thumbs allow

It appears we currently stick redundant denys in all other data/subfolders when they are not necessary.

backups/deny
backups/other/deny
data/other deny
data/other/logs deny
data/pages deny
etc..

Thoughts?

Anyone know why this might be done ?

Carlos · 2013-01-14, 05:03:27

I suppose they were all put there just in case or something.
Looks like they've always been there, at least since GS 1.0

***shawn_a*** · 2013-01-14, 07:54:54

Seems like it would slow apache down, since it has to parse each one in a path.

yojoe · 2013-01-14, 10:36:14

There were plenty situations when temp.htaccess hasn't been renamed during installation.
If you place all deny rules within root .htaccess file, and this situation happens again, houston might get a security problem with a free access to user.xml Wink

(this of course is still possible on non apache webservers)
Uploads and thumbs dirs might be moved to root, and deny rule might get into root htaccess (look here: http://get-simple.info/forums/showthread...3#pid31223) as it shouldn't open a security hole (as long as script file within upload/thumb dir wouldn't be executed by GS)

ps. many plugins also have deny rules in own htaccess files
Don't you think that GS should disallow accessing all mentioned dirs, and plugin files on his own, instead of basing on apache's deny mechanism ?

***shawn_a*** · 2013-01-14, 12:39:35

I don't see how your post has anything to do with what I am asking.

yojoe · 2013-01-14, 18:13:05

ohh I thought you were talking about minifying overall amount of htaccess files with deny rules, not only in data, and backups directory.

eatons · 2013-01-14, 23:33:08

I may be wrong, Ã¢Â€Â¦ but wouldn't an empty index file produce the same security and create less load on the server?

***shawn_a*** · 2013-01-15, 00:13:47

no that just prevents directory listing
which should be default on most servers or already set somewhere as
Options -Indexes

eatons · 2013-01-15, 02:24:28

That would mean that the "redundant denys" are not redundant at all, but the best way of locking out any method of stealing or hacking content by guessing the correct path.

***shawn_a*** · 2013-01-15, 02:45:22

huh?

eatons · 2013-01-15, 23:18:33

That Was a dumb statement! my apologies, ...of course you're right and they are redundant!

Login
Username:
Password:	Lost Password?
	Remember me