Re: including a file on on-rev

Tue, 03 Nov 2009 18:11:29 -0800 

Alex Tweedly wrote:

J. Landman Gay wrote:
Yeah, this has been harrassing me. I'm pretty sure a path like this would work but I haven't tried it yet: ~/path/to/includeFile. I'm going to test it, that would be way easier. 


No - already guesses that one and tried it. "File not found"


This works though:

<?rev include "/home/jacque/public_html/myinclude.irev" ?>



 (b) isn't it a (minor) security issue ?


No, because it's revTalk. The browser never sees the file path, only 
the contents of the file. To the outside, it looks like hard-coded html.



Different issue. I was concerned about simply guessing the directory 
name, and hence seeing the include files. Of course, since they are 
.irev files, you can't simply download them but you can see their names, 
guess their function, etc. and in some cases retrieving them will give 
some info about the internals of the site. And in a couple of cases I've 
just tried, there are other kinds of files in the includes (or inc) 
directory. (Apologies to anyone who notices me snooping around their 
site ;-)



Isn't that true of any site though? I've set my site not to display file 
listings, and anyone who tries should get a "forbidden" error page. It's 
an option in cPanel. Or you mean something else?



I don't think you'd have to, since the path is never sent to the 
browser. Alternately, I suppose you could store the includes outside 
the web folder. A path is a path, right?



I didn't think you can do this - but you can.



I know. It's pretty common I guess, I first read about it some years ago 
when researching something else. People writing to various forums 
sometimes recommend storing files there because outsiders can't see or 
download them.



And that's kind of scary. 
It means that a script error (or deliberate misuse) in any of your 
add-on domains can see and alter all files, including those in other 
add-on domains.  I'm not sure this is a "feature", it feels more like a 
"bug" (or at least, a "problem").



If so, it's a problem for any site using any language. PHP could do the 
same thing.


--
Jacqueline Landman Gay         |     [email protected]
HyperActive Software           |     http://www.hyperactivesw.com
_______________________________________________
use-revolution mailing list
[email protected]
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
























					Reply via email to