Task #42550
Add top-level .htaccess to block everything but Web
| Status: | Under Review | Start date: | 2012-10-31 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Karsten Dambekalns | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Sprint: | Has patch: | No | ||
| PHP Version: | Complexity: |
Description
Although we ask to use Web as document root, that is often not done and/or possible (think about the practice of default host setups like pXXX.server.tld being hardwired to the top level folder for many hosters). So people feel safe because they added a vhost pointing to Web, but don't think about that default host.
Should we add a .htaccess file to the top level that allows access only to Web? Please vote and/or discuss!
History
#1 Updated by Karsten Dambekalns almost 3 years ago
Two ways to do this so far.
Simple, but affecting two files
.htaccess
Order Deny,Allow Deny from all
Web/.htaccess
… Allow from all
Complex, only one file affected
.htaccess
SetEnvIf Request_URI /Web/ ispublic=1 Order Deny,Allow Deny from all Allow from env=ispublic
#2 Updated by Bastian Waidelich almost 3 years ago
Karsten Dambekalns wrote:
Two ways to do this so far.
I'd prefer the simple solution with two files and w/o environment variables (which are not supported on several shared hosters)
#3 Updated by Adrian Föder almost 3 years ago
yep, agree the simple variant too, and since Web/ has an htaccess already, two files are affected, but only one new is introduced...
#4 Updated by Karsten Dambekalns almost 3 years ago
Agreed. Also, the complex variant doesn't even work - it blocks as soon as Web is used as doc root as intended, because then there's no Web in the request URI… :)
#5 Updated by Karsten Dambekalns almost 3 years ago
- Subject changed from Add top-level .htaccess to blick everything but Web to Add top-level .htaccess to block everything but Web
#6 Updated by Gerrit Code Review almost 3 years ago
- Status changed from Needs Feedback to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16078
#7 Updated by Karsten Dambekalns almost 3 years ago
- Target version set to 2.0
#8 Updated by Robert Lemke almost 3 years ago
Although we ask to use
Webas document root, that is often not done and/or possible (think about the practice of default host setups like pXXX.server.tld being hardwired to the top level folder for many hosters). So people feel safe because they added a vhost pointing toWeb, but don't think about that default host.Should we add a
.htaccessfile to the top level that allows access only toWeb? Please vote and/or discuss!
+1 for the idea.
I don't have time this week to check the actual .htaccess implementation but if it works fine without bad side effects for people who set up Flow the right way, that's fine.
#9 Updated by Karsten Dambekalns over 2 years ago
- Target version deleted (
2.0)