Opened 2 years ago
Closed 2 years ago
#3337 closed Enhancement (wontfix)
htaccess security: preventing access to php backup files
| Reported by: | ncouture | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Needs Review |
| Component: | Core | Version: | 1.7 |
| Severity: | trivial | Keywords: | htaccess, security |
| Cc: | brett@…, nicolas.couture@… | Difficulty: |
Description
As the project ships its own htaccess file I believe it could be used to improve security of all elgg installations by preventing web client access to all potential php backup files.
Backup file creation is a default setting on many popular text editors, vim and emacs to name a few, will save backup files (eg: editing /engine/settings.php on the webserver will result in the creation of /engine/settings.php~).
This can be considered the administrator/developer/user's responsibility but I believe it's a trivial improvement that do not have "counter indications".
Change History (3)
comment:1 Changed 2 years ago by ncouture
- Cc nicolas.couture@… added
comment:2 Changed 2 years ago by cash
comment:3 Changed 2 years ago by cash
- Resolution set to wontfix
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
Thanks for the suggestion. My opinion is that you should never edit a file on a live production site. Other thoughts on whether this should be added to htaccess_dist?