Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#1337 closed Bug (fixed)

Create .htaccess files at runtime

Reported by: vipsoft Owned by: vipsoft
Priority: normal Milestone: Piwik 0.6.1
Component: Core Keywords:
Cc: Sensitive: no


In [1743], .htaccess files were added to core, lang, libs, plugins, and themes to guard against directory listing and direct access to .php and .tpl files. This ascribes to the "secure by default" principle.

It addresses the potential 'information disclosure' vulnerability (i.e., script path or include path) on a misconfigured web server, and avoids the need to add "defined('PIWIK_INCLUDE_PATH') or die;" to .php files (which we started doing in [1335], but not yet for files that contain subclasses).

Unfortunately, some are experiencing problems:

  • wrong permissions (when files are uploaded to server)
  • "Loading data... error has occured during the query, please try again." (unless the .htaccess files are removed)

Change History (6)

comment:1 Changed 4 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [2147]) fixes #1337 - remove static .htaccess files and defined('PIWIK_INCLUDE_PATH') or die "guard"; we'll enhance PhpSecInfo to assist the user in configuring their environment more securely

comment:3 Changed 4 years ago by vipsoft (robocoder)

(In [2149]) refs #1337 - create .htaccess files at runtime (Installation); tested with Order deny,allow (and allow,deny), AllowOverride All (vs none)

comment:4 Changed 4 years ago by vipsoft (robocoder)

  • Summary changed from .htaccess files to Create .htaccess files at runtime

comment:5 Changed 4 years ago by vipsoft (robocoder)

(In [2223]) refs #1337 - allow direct access to .test.php files

comment:6 Changed 4 years ago by vipsoft (robocoder)

(In [2315]) refs #1337 - only create .htaccess files at Installation if Apache detected. Jetty's HTAccessHandler doesn't fully support Apache .htaccess files.

Note: See TracTickets for help on using tickets.