Bug #129
glasif.cfg location
| Status: | Feedback | Start date: | 01/03/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | Security Improvements | Spent time: | - | |
| Target version: | - |
Description
The glasif.cfg should not be located anywhere under the www-root directory.
Related issues
History
Updated by Marcel Koßin about 2 years ago
I definitely understand why it shouldn't be located within the document root and from a security point of view I agree. But on the other hand this isn't as easy as it sounds :-(
First of all the installer writes the file itself. We have no guarantee, that the user who is running the HTTPd has permission to write somewhere else (Safe Mode, suPHP, etc.). Even if we could write somewhere else, we have no clue what to use. Even if the user provides a location, we cannot read the location from the config file ;-)
Updated by Marcel Koßin about 2 years ago
- Status changed from New to Feedback
Updated by Marcel Koßin almost 2 years ago
In Ticket #150 it is suggested, that there might be a problem, if the webserver is not configured to deny access to *.cfg files as well. IMHO it makes sense, to not put the config file elsewhere than the DocRoot. But it makes sense to make sure it is not downloadable in a default configuration of a LAMP server.
Thus I'd suggest:
- rename to glasif.cfg.php within the same location (/conf)
- The config file will be automatically generated by the installer, but has PHP syntax and thus if parsed standalone return nothing.
Updated by Ben L. almost 2 years ago
- File glasif.129.patch added
This should work as far as new installations go. Existing installs just need the config file to be renamed.
Anyone that attempts to view the database credentials gets a semicolon and nothing else.