Looking at the Mahara installation guide
we could add some ErrorDocument lines to that <virtualHost> info and
give instructions on how to set that up to point to relating *.php files
(eg errors/404.php) in Mahara so they can be served maybe.

And then include a bunch of error php files in mahara that can be
served, maybe?

You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!

  Wishlist: Apache-compatible 404 error response page

Status in Mahara:

Bug description:
  Due to receiving a few security reports about it, we've recently re-
  styled the 404 response pages for most of the Mahara project sites.
  The reports we received pointed out that the default Apache 404
  response page prints the url-decoded (but still html-escaped) query
  portion of the URL on the page. This could result in attackers
  printing arbitrary text onto the page, with spaces and such, which
  conceivably could be part of a phishing attack.

  To keep thing simple, we replaced it with a static empty page that
  doesn't include any details about the requested query. However,
  ideally we'd want to print out a page more like Google's 404 page:

  1. Styled in the site's theme
  2. Contains the requested URL, but in a way that clearly sets it apart (i.e., 
url-encoded so that spaces are transformed into %20, and possibly truncated if 
it's quite long.)
  3. Maybe translated as well.

  We could achieve this by shipping a PHP script with Mahara, which a
  Mahara site admin could then configure their Apache server to use for
  its 404 error document, via this directive:

  ErrorDocument 404 /errors/404.php

  We might also provide a "sample.htaccess" file, sitting at the top
  level of the project (outside the htdocs directory) to show people how
  to set this up. (We used to include a .htaccess file in Mahara's
  htdocs by default, but this could cause crashes if people were using
  different servers or different versions of Apache).

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to