On Friday, February 15, 2002, at 12:35  PM, J Smith wrote:

> The only real security problem is that if the file isn't parsed and 
> it's in
> the web server's document path, somebody can just go to
> http://www.example.com/include/config.inc and see the entire contents in
> plaintext -- passwords and config options galore. However, sticking 
> those
> .inc files outside of the web server's document path or otherwise 
> cutting
> off access to those files makes things a lot safer.
> When I met Rasmus at a seminar a few months ago, he mentioned that he 
> kind
> of started the whole ".inc" thing with included files, but he was
> astonished how so many people followed his convention without realizing
> that somebody could look into the .inc file so easily. When he was going
> it, he always explicitly denied access to those files through a <Files>
> directive in Apache's httpd.conf file, which nobody else bothered to do.
> So if you want people to view those files and all of the code in them, 
> go
> nuts. Otherwise, you'd better somehow cut off access to them. 
> (Personally,
> I use an include directory and use a .htaccess file to limit access.)

Exactly.  So we have two problems:

1) we don't want people to be able to request 
and see the text output
2) we don't want the parser to ever execute code out of context, ie 
serve a parsed version of 'domain.com/includes/file.inc' without 
including it into its parent.

So to tackle the first problem we set a directive in httpd.conf that 
denies any requests for any page that ends in '.inc' (I suppose a 
.htaccess file could work as well but I don't use them), and to tackle 
the second problem, we don't add '.inc' to our list of file types that 
should be parsed in the "AddType" line.

Here's the directive:

<Files ~ "\.inc$">
    Order allow,deny
    Deny from all

If you look under the archives, you will find the thread where I was the 
one who thought that parsing .inc was a good idea, and someone explained 
this very subject to -me-.  :)
(I think it was Mike Cullerton)



Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to