On Feb 1, 2:42 pm, Florian MAURY <[email protected]> wrote:
> The workarounds with php_flag are unrelevant because it needs both the
> use of Apache and the use of PHP as a module which is not performant,
> and not secured either.
Exactly! Thank you, I don't feel alone now :-)
PHP as a module is a very bad idea in my opinion — and is often the
result of very wrong decisions like "chmod 777". The "symfony fix-
perms" task is something that made me realise that something must be
very wrong about how most symfony projects are hosted.
For those using lighttpd, you might be interested by this:
$HTTP["url"] =~ "^/uploads/" {
url.access-deny = (".php")
}
(Please edit accordingly if you associate PHP to other extensions)
On Feb 1, 8:08 am, Fabien Potencier <fabien.potenc...@symfony-
project.com> wrote:
> Wait, all this ONLY "works" if and only if the webserver has write
> access to these directories/files, right? ... which is not the case by
> default, right?
>
> Fabien
Well, the server will have the ability to write a .htaccess file in
the same directory it has the ability to upload a PHP file. So if you
don't validate filenames and extensions, the Apache solutions won't
work.
--
You received this message because you are subscribed to the Google Groups
"symfony developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/symfony-devs?hl=en.
