#1485269 closed Feature Requests (wontfix)
move logs, temp, include and config out of web tree
| Reported by: | tensor1982 | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | 0.2-beta |
| Component: | Security | Version: | git-master |
| Severity: | major | Keywords: | |
| Cc: |
Description
For security sake please consider moving logs, temp, include and config directories out of the DocumentRoot?.
DocumentRoot? should only have .php and static files which are directly accessible by requesting the corresponding URL.
A common approach is too carelessly delete .htaccess files and forget about any access control if something does not work. With a new approach only public (world known) files will be in document root and there will be no sensistive files directly accessible though a web server.
Change History (2)
comment:1 Changed 5 years ago by thomasb
- Resolution set to wontfix
- Status changed from new to closed
comment:2 Changed 5 years ago by tensor
Quote from the HOWTO:
This is a very common problem. One solution is to either empty out the .htaccess file, or delete it entirely, in the root of the RoundCube installation folder.
It may happen with a facist (==good) admin who prohibited some overrides.
Having critical, epecially conf, file outside of web tree would be helpful.
If I implement it in installer (with upgrade capability) and change the default layout, whould it be included in 0.3 series?
Logs and temp can be moved by config. Howto_Install describes what's needed to be protected. There's no one-structure-fit-all solution we could implement.