On Friday, February 15, 2002, at 12:35 PM, J Smith wrote:
> The only real security problem is that if the file isn't parsed and > it's in > the web server's document path, somebody can just go to > http://www.example.com/include/config.inc and see the entire contents in > plaintext -- passwords and config options galore. However, sticking > those > .inc files outside of the web server's document path or otherwise > cutting > off access to those files makes things a lot safer. > > When I met Rasmus at a seminar a few months ago, he mentioned that he > kind > of started the whole ".inc" thing with included files, but he was > astonished how so many people followed his convention without realizing > that somebody could look into the .inc file so easily. When he was going > it, he always explicitly denied access to those files through a <Files> > directive in Apache's httpd.conf file, which nobody else bothered to do. > > So if you want people to view those files and all of the code in them, > go > nuts. Otherwise, you'd better somehow cut off access to them. > (Personally, > I use an include directory and use a .htaccess file to limit access.) Exactly. So we have two problems: 1) we don't want people to be able to request 'domain.com/includes/file.inc' and see the text output 2) we don't want the parser to ever execute code out of context, ie serve a parsed version of 'domain.com/includes/file.inc' without including it into its parent. So to tackle the first problem we set a directive in httpd.conf that denies any requests for any page that ends in '.inc' (I suppose a .htaccess file could work as well but I don't use them), and to tackle the second problem, we don't add '.inc' to our list of file types that should be parsed in the "AddType" line. Here's the directive: <Files ~ "\.inc$"> Order allow,deny Deny from all </Files> If you look under the archives, you will find the thread where I was the one who thought that parsing .inc was a good idea, and someone explained this very subject to -me-. :) (I think it was Mike Cullerton) Erik ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
