See https://httpd.apache.org/docs/2.4/custom-error.html for information
about the format of the error response page.
I believe Drupal auto-creates a .htaccess file with ErrorDocument
directives and other setups. They also use one for clean urls, which is
something we might consider.
Of course, we can't actually write a .htaccess file in the wwwroot,
because we mandate a non-writable wwwroot. Although increasingly other
projects are switching away from a read-only wwwroot, in order to allow
the application to update itself.
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
Wishlist: Apache-compatible 404 error response page
Status in Mahara:
Due to receiving a few security reports about it, we've recently re-
styled the 404 response pages for most of the Mahara project sites.
The reports we received pointed out that the default Apache 404
response page prints the url-decoded (but still html-escaped) query
portion of the URL on the page. This could result in attackers
printing arbitrary text onto the page, with spaces and such, which
conceivably could be part of a phishing attack.
To keep thing simple, we replaced it with a static empty page that
doesn't include any details about the requested query. However,
ideally we'd want to print out a page more like Google's 404 page:
1. Styled in the site's theme
2. Contains the requested URL, but in a way that clearly sets it apart (i.e.,
url-encoded so that spaces are transformed into %20, and possibly truncated if
it's quite long.)
3. Maybe translated as well.
We could achieve this by shipping a PHP script with Mahara, which a
Mahara site admin could then configure their Apache server to use for
its 404 error document, via this directive:
ErrorDocument 404 /errors/404.php
We might also provide a "sample.htaccess" file, sitting at the top
level of the project (outside the htdocs directory) to show people how
to set this up. (We used to include a .htaccess file in Mahara's
htdocs by default, but this could cause crashes if people were using
different servers or different versions of Apache).
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~mahara-contributors
Post to : firstname.lastname@example.org
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp