Search

It just occured to me, if someone would try to direct access my templates and utilities, they could go to an URL like: www.mysite.com/workspace/utilities/master.xsl or www.mysite.com/workspace/pages/contact.xsl to look at the template of my pages.

I think this should be considered as a security issue, since templates may have various choose-actions based in login information for example, or there could be some vital information stored in comments.

This can be easily prevented by adding some simple rules to the .htaccess-file:

RewriteRule ^workspace/pages /404/
RewriteRule ^workspace/utilities /404/

I’m not sure if this is the best approach the prevent this threat, but I think it’s something that should be looked into.

It’s not the best method no, but it’s probably better than nothing.

I think the approach you want is something like this in your .htaccess file or equivalent place (vhost file etc): -

http://pastie.org/1308150

This is from a quick google search, so it may not be bulletproof but it ought to give you somewhere to start. I have some of these rules for sites on my dev server but I haven’t the time to look right now.

Ehm, how do you serve images from the workspace folder when you denied access to the whole folder?

Sorry this was just a quick pointer in the right direction.

Yes you’ll need to specify the specific subdirectories under workspace, not the whole thing!

Thanks Nils.

Agreed. This was raised at the London Symposium and I think this should ideally be addressed for Symphony 2.2. Although we consider XSLT files simple “views” which really shouldn’t matter if they’re viewable, the reality is that they do contain business (display) logic, and the rule of thumb should be to lock things down as much as possible.

I’d suggest a FilesMatch directive.

<FilesMatch ".(xsl)$">
Deny from All
</FilesMatch>

But modified so that it only applies to the workspace.

This will be more important in Symphony 3 where page configurations are stored in XML files in the workspace.

There was an idea to add this for files in manifest but was abandoned:

http://getsymphony.com/discuss/issues/view/202/

If your files and folders are set correctly to 755 then none of this should be an issue.

The safest way, if yo need other permissions or have no override privileges in htaccess, is to add a blank html file in each folder, as Symphony doesn’t pick up .html in these folders, then turn of directory listings in Apache/htaccess

All the above, other than Nick’s suggestion, will cause issues with images/js/css.

Create an account or sign in to comment.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.3
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details