anyone can access any file under gallery2 folder

choipo

Joined: 2005-01-18
Posts: 18
Posted: Thu, 2005-04-21 08:32

I find that all the file can be accessed by anyone.
For example: http://192.168.1.1/gallery2/modules/core/module.inc

I don't know how to disable accessiability in some file type.
How to set on apache?

----

Gallery URL (optional):
Gallery version: 2 beta1
Webserver (with version): Apache 2
Datatabase (with version): Mysql 3
PHP version (eg 4.2.1): 4.2.1
phpinfo URL (optional):
Graphics Toolkit(s):
Operating system:
Web browser/version:
G1 version (for migration bugs):

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Thu, 2005-04-21 10:14

see section "File security" in http://www.edginet.org/techie/website/htaccess.html

you need something like
.htaccess:
<Files *.inc>
Deny From All
</Files>

same for .class

google a little ;)

 
darkknight
darkknight's picture

Joined: 2003-03-01
Posts: 40
Posted: Thu, 2005-04-21 13:18

shouldnt that really be part of the installer's job? to lockdown the server?

Usually I call include files blah.inc.php so that any requests for them return a blank

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Thu, 2005-04-21 16:04

darkknight, no, that should be the part of the admin when he sets up the webserver ;)

But yes, maybe this could be added in the installer. Note that this is webserver specific (even if apache is the norm) and that this won't be necessary on most installs.
However, you can add a feature request on http://sf.net/projects/gallery/ if you wish.

 
mindless
mindless's picture

Joined: 2004-01-04
Posts: 8601
Posted: Thu, 2005-04-21 16:57

since gallery is opensource anyone can find the contents of those files anyway.. if you're customizing your install and wish to protect modified files then you can setup your webserver to block direct access to those files.

 
darkknight
darkknight's picture

Joined: 2003-03-01
Posts: 40
Posted: Thu, 2005-04-21 18:09

good point mindless