|
Posted by Jochem Maas on 06/01/05 14:00
Denis Gerasimov wrote:
>
>>
>> <Files ~ "\.inc$">
>> Order allow,deny
>> Deny from all
>> </Files>
>>
>>Without this rule people would be able to access the .inc file directly
>>and since PHP won't parse it, the raw source code would be visible which
>>could be a security problem. If you prevent this simply by putting .php
>>onto the end of your include files, you could have a different security
>>problem in that files designed to be included could be run out of their
>>include context and could potentially do something unexpected.
>
>
> I do not agree.
>
> First, this works the same way:
>
> <Files ~ "\.inc\..*$">
> Order allow,deny
> Deny from all
> </Files>
cool. cheers for that :-)
>
> Second, which way are you differ PHP .inc files from HTML .inc files?
> Many programs can't too... IMHO it is very inconvenient.
>
> Third, I always write context-independent include files.
>
> Objections?
I'd say so.
a, your disagreement is more like an amendment.
b, whats an HTML .inc file anyway?
c, you can use a directory structure to help identify your files.
d, seems to me Rasmus was offering his way of doing 'it' (and highlighting
potential security issues) rather than stating how you must do it,
granted he invented(is that the correct word?) php so chances are
that his idea(s) are solid even though you may disagree initially :-)
me I stick a '.php' at the end of every filename (habit mostly)
and keep all my includes outside of the webroot. mostly its personal
preference so long as you keep safety in mind, right? :-)
>
> Thank you.
>
> Best regards,
> Denis Gerasimov,
> Chief Developer, VEKOS Ltd.
> www.vekos.ru
>
>
>>-Rasmus
>>
>>--
>>PHP General Mailing List (http://www.php.net/)
>>To unsubscribe, visit: http://www.php.net/unsub.php
>
>
[Back to original message]
|