View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008089 | mantisbt | security | public | 2007-06-21 02:41 | 2014-01-21 16:13 |
Reporter | deboutv | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | N/A |
Status | confirmed | Resolution | open | ||
Product Version | 1.1.0a3 | ||||
Summary | 0008089: Make the location of config_inc.php relocatable outside htdocs | ||||
Description | Sometimes webserver sends not interpreted PHP file to the client (because of a bug in the webserver, a misconfiguration, the PHP engine is unavailable...). To prevent this behaviour (see directly the config_inc.php file), I recommend to move the config file into a directory protected by a .htaccess file (deny from all) or (better) move the config file out of the document_root directory. | ||||
Tags | No tags attached. | ||||
I wonder if we can add an .htaccess file to block serving specific files. We should also add one to block other folders like core/. I am not very familiar with the htaccess format, so people are welcome to contribute their suggestions. |
|
AFAIK, the packaged versions in linux already move config_inc.php out of the webroot extacly for the reasons you are stating Since this affects only those installing manually from sources, I think it would be enough to note this issue (with possible workarounds) in the installation instructions. |
|
Agreed with the need to make the location of config_inc.php relocatable outside of the web root. I already do the same thing (hard coded changes) when installing MantisBT from source. |
|
I believe we support having an env variable point to the config_inc.php We could add a check to admin/check/ page which would direct admins to move config_inc.php out of htdocs and include it in a local one or point to it using the env variable. |
|