0 users online. Create an account or sign in to join them.Users

Announcement

Symphony's issue tracker has been moved to Github.

Issues are displayed here for reference only and cannot be created or edited.

Browse

Closed#202: (2.0.7) Cannot load files via HTTP from manifest/cache (breaking markItUp extension)

2.0.7 introduces an .htaccess file in the /manifest with the line:

deny from all

I presume this is for security to ensure no configuration or cache files are ever opened, no matter how your server is configured.

Only, the markItUp extension writes its own files to the cache and serves these via HTTP to build the editor.

Can the deny rule be relaxed for the cache folder? It’s likely other extensions might be using this method too.

Please, remove that .htaccess from /manifest. Let’s think another solution for this problem!

Is it possible to make config.php unaccessible using the main .htaccess?

I think htaccess is the best solution for the problem (it’s exactly what htaccess is there for) however I think the rule needs updating. Directory or DirectoryMatch rules could be added for the cache folder.

Directory or DirectoryMatch rules could be added for the cache folder.

I think that’s a good idea.

I dont think it is possible to use DirectoryMatch or Directory in .htaccess. Not really sure at this stage what the best setup is.

@Alistair In this case, I suggest to change index.php directly.

define('DOCROOT', rtrim(dirname(__FILE__), '\/'));
define('DOMAIN', rtrim(rtrim($_SERVER['HTTP_HOST'], '\/') . dirname($_SERVER['PHP_SELF']), '\/'));
define('CONFIG', DOCROOT . '/../config.php'); ## Here is the secret..

require(DOCROOT . '/symphony/lib/boot/bundle.php');

function renderer($mode='frontend'){
    require_once(CORE . "/class.{$mode}.php");
    return ($mode == 'administration' ? Administration::instance() : Frontend::instance());
}

$renderer = (isset($_GET['mode']) ? strtolower($_GET['mode']) : 'frontend');
$output = renderer($renderer)->display(getCurrentPage());

header(sprintf('Content-Length: %d', strlen($output)));
echo $output;

exit();

What do you think?

@Alistair In this case, I suggest to change index.php directly.

I assume you mean to put the config outside the public folder. 2 problems with this approach.

  1. Not all web hosts let you do that
  2. It means the index.php file must change based on where you put the config.php file.

Perhaps the default install has a .htaccess with a FilesMatch rule denying access to the config file, but not worrying about anything else.

<FilesMatch "^config.php$">
    deny from all
</FilesMatch>

We could write a tutorial/article on hardening up a Symphony installation, which could cover moving the config.php.

I have decided to remove the manifest/.htaccess file altogether. Post-2.0.7 I shall write an article on how to harden up a Symphony install, and this will include the creation of a .htacess in the manifest folder.

I should add, those having problems with the “deny from all”, feel free to delete manifest/.htaccess.

This issue is closed.

Symphony • Open Source XSLT CMS

Server Requirements

  • PHP 5.3-5.6 or 7.0-7.1
  • PHP's LibXML module, with the XSLT extension enabled (--with-xsl)
  • MySQL 5.5 or above
  • An Apache or Litespeed webserver
  • Apache's mod_rewrite module or equivalent

Compatible Hosts

Sign in

Login details