[wp-trac] Re: [WordPress Trac] #1038: Limit access to php files
WordPress Trac
wp-trac at lists.automattic.com
Sun Apr 16 14:07:09 GMT 2006
#1038: Limit access to php files
----------------------+-----------------------------------------------------
Id: 1038 | Status: assigned
Component: Security | Modified: Sun Apr 16 14:07:09 2006
Severity: trivial | Milestone: 2.1
Priority: lowest | Version: 2.0.2
Owner: matt | Reporter: anonymousbugger
----------------------+-----------------------------------------------------
Comment (by szepter):
''On many hosts, the include files could then be easily moved outside of
webspace altogether, along with the database passwords from wp-config.''
Most hosting providers don't allow accessing files or writing to files
outside of the docroot, which is the "webspace" in most cases.
Altogether I would say these nice security advice to WP users would make
things more complicated ("You should place files there or there and modify
the paths there and there ... otherwise things can go wrong ..." and so on
...). Well, these advice are really nice, but not for users who are new to
WP.
If Apache stops parsing PHP files under some improbable circumstance,
these files wouldn't be executed, the code is served raw, nothing can
happen, except that you can read the source code, but that's something you
can do much easier by downloading the latest WP version from the website.
I think it's no use overloading code for providing a non-trivial
protection system that only works under Apache or under specific
circumstances.
--
Ticket URL: <http://trac.wordpress.org/ticket/1038>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list