For some reason I made two small errors that made my previous message complete nonsense. Sorry! Here is the fixed reply:
On Feb 1, 2:42 pm, Florian MAURY <[email protected]> wrote: > The workarounds with php_flag are unrelevant because it needs both the > use of Apache and the use of PHP as a module which is not performant, > and not secured either. Exactly! Thank you, I don't feel alone now :-) PHP as a module is a very bad idea in my opinion — and is often the cause of very wrong decisions like "chmod 777". The "symfony fix- perms" task is something that made me realize that something must be very wrong about how most symfony projects are hosted. For those using lighttpd, you might be interested by this: $HTTP["url"] =~ "^/uploads/" { url.access-deny = (".php")} (Please edit accordingly if you associate PHP to other extensions) On Feb 1, 8:08 am, Fabien Potencier <fabien.potenc...@symfony- project.com> wrote: > Wait, all this ONLY "works" if and only if the webserver has write > access to these directories/files, right? ... which is not the case by > default, right? > Fabien Well, the server will have the ability to write PHP files in a directory, then it will have the ability to write an .htaccess file in that diretory. So if you don't validate filenames and extensions, the Apache solutions won't work. -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
