Hi
In the default package there should be .htaccess files to prevent reading of .inc files. By default most Apache installations will allow reading of .inc files posing a security risk, so each directory containing these should have an htaccess file such as
Order allow,deny Deny from all
in the 'program' directory to prevent people from gaining access to database passwords in the configuration.
Colin Alston wrote:
<Crack>
I'm obviously on drugs, nevermind.
Why is the .htaccess not required then?
On Sat, 24 Jun 2006 17:31:46 +1000, Colin Alston
karnaugh@karnaugh.za.net wrote:
Colin Alston wrote:
<Crack>
I'm obviously on drugs, nevermind.
Colin Alston wrote:
In the default package there should be .htaccess files to prevent reading of .inc files. By default most Apache installations will allow reading of .inc files posing a security risk, so each directory containing these should have an htaccess file such as
No but the following would be really useful:
# Block access to SVN files
<IfModule mod_access.c> <DirectoryMatch ~ "^/.*/.svn"> Order allow,deny Deny from all ErrorDocument 403 "<h1>Access Denied</h1>" </DirectoryMatch> </IfModule>
Thomas
How how are the .inc files protected?
On Sat, 24 Jun 2006 19:02:48 +1000, Thomas Mangin
thomas.mangin@exa-networks.co.uk wrote:
Colin Alston wrote:
In the default package there should be .htaccess files to prevent reading of .inc files. By default most Apache installations will allow reading of .inc files posing a security risk, so each directory containing these should have an htaccess file such as
No but the following would be really useful:
# Block access to SVN files
<IfModule mod_access.c> <DirectoryMatch ~ "^/.*/.svn"> Order allow,deny Deny from all ErrorDocument 403 "<h1>Access Denied</h1>" </DirectoryMatch> </IfModule>
Thomas
Chris Fordham wrote:
How how are the .inc files protected? In the default package there should be .htaccess files to prevent reading of .inc files.
There is already a .htaccess in the html folder, so I am not sure what you mean.
# svn blame .htaccess 159 roundcube # AddDefaultCharset UTF-8 252 thomasb php_flag display_errors Off 252 thomasb php_value upload_max_filesize 2M 3 roundcube 3 roundcube <FilesMatch "(.inc|~)$|^_"> 3 roundcube Order allow,deny 3 roundcube Deny from all 3 roundcube </FilesMatch> 3 roundcube 3 roundcube Order deny,allow 3 roundcube Allow from all
I realised that all my servers are blocking .svn folders but that roundcube does not and that it _could_ (I did not check) cause an issue.
# Block access to SVN files
<IfModule mod_access.c> <DirectoryMatch ~ "^/.*/.svn"> Order allow,deny Deny from all ErrorDocument 403 "<h1>Access Denied</h1>" </DirectoryMatch> </IfModule>
Thomas
--Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
LOL ...
Thomas Mangin wrote:
Chris Fordham wrote:
How how are the .inc files protected?
I do not know what Colin is taking but it is quite good.
The answer is : The .htaccess apply to sub-folders as well so it is not needed.
Yeah, I didn't realise that there was already one there, and I have some extra stuff in my settings folder which managers Postfix database passwords for mailboxes. Previously that directory was left open if I recall correctly.
So like I said, never mind :-)
Thomas Mangin wrote:
Colin Alston wrote:
In the default package there should be .htaccess files to prevent reading of .inc files. By default most Apache installations will allow reading of .inc files posing a security risk, so each directory containing these should have an htaccess file such as
No but the following would be really useful:
Shouldn't really run an svn trunk as production anyway. Keep your self a running branch and 'find . -iname .svn | xargs rm -r' or something.
Colin Alston wrote:
Shouldn't really run an svn trunk as production anyway. Keep your self a running branch and 'find . -iname .svn | xargs rm -r' or something.
It is not running as production but I think that I will not be the only one to do this and that RC should make sure that nothing bad happen to people who do. I do not think it is a bad idea anyway, as long as you are careful about what you do. From what I saw RC commit are well self contained (not willing to start a debate here tho, I realise that using svn is calling for trouble)
Thomas
-
Chris Fordham -
Colin Alston -
Thomas Mangin