Hi, Some shops suffer because unauthorized access via http to the exported files in shop /export dir. The bug: https://bugs.oxid-esales.com/view.php?id=1196
Basically, this case occured because missconfiguration of eShop environment. This simply can be solved by adding .htaccess file to /export dir with some restrictions for files access. But we cannot include such .htaccess file in default eShop package, because: 1. if without password protection - it would deny any access to this file via http (will be accessible only via file system). 2. if access via http is needed - authentication by user:password should be implemented. In this case user and password should be created and stored only localy on the servers of each shop (i.e. in .htpasswd)... as default user:password does not solve the problem. So we would like to discuss about possible solutions, what improvements can be implemented by default in the shop. Few ideas from our side: - Use random or customized filenames to make them less guessable. - Add delete-button to backend to make export comfortably deleteable without using FTP. - Make exports only accessible via backend. - Add security notice to export-page in Backend. Behaviour can be like this: 1. Remove filename input box at all. 2. When user clicks "generate", the file is pshysically written to protected dir (tmp?). 3. After file is generated it is offered to download for user, parsed as standard view (means using standard admin authentification). 4. User saves it localy. Any ideas how to solve this better way? Dainius _______________________________________________ dev-general mailing list [email protected] http://dir.gmane.org/gmane.comp.php.oxid.general
