J. Landman Gay wrote:
Yeah, this has been harrassing me. I'm pretty sure a path like this
would work but I haven't tried it yet: ~/path/to/includeFile. I'm
going to test it, that would be way easier.
No - already guesses that one and tried it. "File not found"
(b) isn't it a (minor) security issue ?
No, because it's revTalk. The browser never sees the file path, only
the contents of the file. To the outside, it looks like hard-coded html.
Different issue. I was concerned about simply guessing the directory
name, and hence seeing the include files. Of course, since they are
.irev files, you can't simply download them but you can see their names,
guess their function, etc. and in some cases retrieving them will give
some info about the internals of the site. And in a couple of cases I've
just tried, there are other kinds of files in the includes (or inc)
directory. (Apologies to anyone who notices me snooping around their
site ;-)
I think I'd normally protect my include folder with a .htaccess file,
so that random users can't access my include files, they can only
access the web pages I want them to access. But that would (I think,
haven't tested it) prevent this form of include being used.
I don't think you'd have to, since the path is never sent to the
browser. Alternately, I suppose you could store the includes outside
the web folder. A path is a path, right?
I didn't think you can do this - but you can. And that's kind of scary.
It means that a script error (or deliberate misuse) in any of your
add-on domains can see and alter all files, including those in other
add-on domains. I'm not sure this is a "feature", it feels more like a
"bug" (or at least, a "problem").
-- Alex.
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
