[MonoDevelop] PHP Language Bindings

Victor Rafael Rivarola Soerensen (FANATICO y LOCO por Cristo) vrrivaro at gmail.com
Sun Sep 24 20:38:26 EDT 2006 

2006/9/23, Michael Hutchinson <m.j.hutchinson at gmail.com>:
> On 9/23/06, Victor Rafael Rivarola Soerensen (FANATICO y LOCO por
> Cristo) <vrrivaro at gmail.com> wrote:
> > Not necesarily. For security reasons, it is recoomended that templates
> > and other files referred ttoo by the scripts be kept outside the web
> > server's document root. This makes it more dificult (it is sill
> > possible) for some cracker to deface your site.
>
> I don't get this -- surely you want to limit your scripts' read/write
> access to *inside* your web root, so that if someone subverts them or
> injects malicious code, they can't access the rest of the filesystem.

You wan to keep the files outside the web root, so that there is no
posible way somebody can get to your template files by means of a
manually typed address in a browser, but inside a special directory
anyway, as to protect the rest of the filesystem. For example

/
  home
    webuser
      www
        webroot
        templates
    otherwebuser
      www
        webroot
        templates

If you use this hirarchy, webuser's webroot is
/home/webuser/www/webroot, his templates are stored safely from web
access in /home/webuser/www/templates, and his permisions allow him
read/write access to /home/webuser/www directory. User otherwebuser's
webroot is /home/otherwebuser/www/webrooot, his templates are in
/home/otherwebuser/www/templates and his read/write access is limitted
to /home/otherwebuser/www.

> As for preventing direct outside access to these files, this should be
> done by the web server itself. For example, the Drupal PHP CMS
> framework uses the .htaccess rule
> <FilesMatch "(\.(engine|inc|install|module|sh|.*sql|theme|tpl(\.php)?|xtmpl)|code-style\.pl|Entries.*|Repository|Root)$">
>   Order deny,allow
>   Deny from all
> </FilesMatch>

What happens when your customers decides to use IIS? Or do you know of
a way, without requiring any software addon and available in a default
installation, to have it to obey the .htaccess files or provide it
with per directory access instructions? How about other servers?

Jesus bless you,

Victor

-- 
FANÁTICO
"Por cuanto eres tibio, y no frío ni caliente, te vomitaré de mi boca."
Apocalipsis 3:16

LOCO
"Porque la Palabra de la Cruz es locura para los que se pierden; pero a
los que se salvan, esto es, a nosotros, es poder de Dios."
1 Corintios 1:18

More information about the Monodevelop-list mailing list