(2.0.7) Cannot load files via HTTP from manifest/cache (breaking markItUp extension)
A for , submitted by nickdunn on 06 January 2010
Announcement
Symphony's issue tracker has been moved to Github.
Issues are displayed here for reference only and cannot be created or edited.
Browse
Closed#202: (2.0.7) Cannot load files via HTTP from manifest/cache (breaking markItUp extension)
Please, remove that .htaccess
from /manifest
. Let’s think another solution for this problem!
Is it possible to make config.php
unaccessible using the main .htaccess
?
I think htaccess is the best solution for the problem (it’s exactly what htaccess is there for) however I think the rule needs updating. Directory or DirectoryMatch rules could be added for the cache
folder.
Directory or DirectoryMatch rules could be added for the cache folder.
I think that’s a good idea.
I dont think it is possible to use DirectoryMatch
or Directory
in .htaccess
. Not really sure at this stage what the best setup is.
@Alistair In this case, I suggest to change index.php
directly.
define('DOCROOT', rtrim(dirname(__FILE__), '\/')); define('DOMAIN', rtrim(rtrim($_SERVER['HTTP_HOST'], '\/') . dirname($_SERVER['PHP_SELF']), '\/')); define('CONFIG', DOCROOT . '/../config.php'); ## Here is the secret.. require(DOCROOT . '/symphony/lib/boot/bundle.php'); function renderer($mode='frontend'){ require_once(CORE . "/class.{$mode}.php"); return ($mode == 'administration' ? Administration::instance() : Frontend::instance()); } $renderer = (isset($_GET['mode']) ? strtolower($_GET['mode']) : 'frontend'); $output = renderer($renderer)->display(getCurrentPage()); header(sprintf('Content-Length: %d', strlen($output))); echo $output; exit();
What do you think?
@Alistair In this case, I suggest to change index.php directly.
I assume you mean to put the config outside the public folder. 2 problems with this approach.
- Not all web hosts let you do that
- It means the
index.php
file must change based on where you put theconfig.php
file.
Perhaps the default install has a .htaccess
with a FilesMatch
rule denying access to the config file, but not worrying about anything else.
<FilesMatch "^config.php$"> deny from all </FilesMatch>
We could write a tutorial/article on hardening up a Symphony installation, which could cover moving the config.php
.
I have decided to remove the manifest/.htaccess
file altogether. Post-2.0.7 I shall write an article on how to harden up a Symphony install, and this will include the creation of a .htacess
in the manifest folder.
I should add, those having problems with the “deny from all”, feel free to delete manifest/.htaccess
.
This issue is closed.
2.0.7 introduces an .htaccess file in the
/manifest
with the line:I presume this is for security to ensure no configuration or cache files are ever opened, no matter how your server is configured.
Only, the markItUp extension writes its own files to the cache and serves these via HTTP to build the editor.
Can the
deny
rule be relaxed for thecache
folder? It’s likely other extensions might be using this method too.