Security : Prevent direct access to your pages and utilities-folder
This is an open discussion with 6 replies, filed under General.
Search
It’s not the best method no, but it’s probably better than nothing.
I think the approach you want is something like this in your .htaccess file or equivalent place (vhost file etc): -
This is from a quick google search, so it may not be bulletproof but it ought to give you somewhere to start. I have some of these rules for sites on my dev server but I haven’t the time to look right now.
Ehm, how do you serve images from the workspace folder when you denied access to the whole folder?
Sorry this was just a quick pointer in the right direction.
Yes you’ll need to specify the specific subdirectories under workspace, not the whole thing!
Thanks Nils.
Agreed. This was raised at the London Symposium and I think this should ideally be addressed for Symphony 2.2. Although we consider XSLT files simple “views” which really shouldn’t matter if they’re viewable, the reality is that they do contain business (display) logic, and the rule of thumb should be to lock things down as much as possible.
I’d suggest a FilesMatch directive.
<FilesMatch ".(xsl)$"> Deny from All </FilesMatch>
But modified so that it only applies to the workspace.
This will be more important in Symphony 3 where page configurations are stored in XML files in the workspace.
There was an idea to add this for files in manifest
but was abandoned:
If your files and folders are set correctly to 755 then none of this should be an issue.
The safest way, if yo need other permissions or have no override privileges in htaccess, is to add a blank html file in each folder, as Symphony doesn’t pick up .html in these folders, then turn of directory listings in Apache/htaccess
All the above, other than Nick’s suggestion, will cause issues with images/js/css.
Create an account or sign in to comment.
It just occured to me, if someone would try to direct access my templates and utilities, they could go to an URL like:
www.mysite.com/workspace/utilities/master.xsl
orwww.mysite.com/workspace/pages/contact.xsl
to look at the template of my pages.I think this should be considered as a security issue, since templates may have various
choose
-actions based in login information for example, or there could be some vital information stored in comments.This can be easily prevented by adding some simple rules to the
.htaccess
-file:I’m not sure if this is the best approach the prevent this threat, but I think it’s something that should be looked into.