Hi Sean.
Here are some explanations about .htaccess and error logging.
- The RoundCube package includes a directory names "log" and an entry in
config/main.inc.php.dist that sets 'log_dir' to that directory. According to the installation guide you should make sure that the webserver can write to that log dir. With all these conditions met, the errors file will be create once the first error is logged. If this fails, PHP will write the errors to it's default error_log file.
- Only .php will be executed (sent to PHP) when called externally over an
URL. This is one of the reasons why we use .inc for included PHP files which are not subject to be executed directly. Since RoundCube is open source, everybody can get the source and analyze it and the FilesMatch section in .htaccess is not absolutely necessary. Nevertheless, direct access via webserver should not be allowed. This also includes auto-saving files from emacs (ending with ~).
As you can see, there are .htaccess files in 'temp' and 'logs' dirs which deny all access from outside.
If you use Apache and you have AllowOverride set for the RoundCube directory your log files should be save.
~Thomas
Sean N. Heukels wrote:
Found something strange in the code about error logging
<1> in main.inc the errors directory is defined, but this directory does not exist. Does PHP complain about this?
// set PHP error logging according to config if ($conf['debug_level'] & 1) { ini_set('log_errors', 1); ini_set('error_log', $conf['log_dir'].'/errors'); }
<2> In .htaccess in the root of roundcube there is a deny/allow statement for *.inc (suffix as .inc). Does this mean that if a user would know the directory format that he/she would be able to read/execute other file formats under the directory structure. For example files with the suffix php or log?
Kind regards, Sean