Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#15457] - Add htaccess and web.config files to the libraries folder

? ? Pending

User tests: Successful: Unsuccessful:

avatar zero-24
zero-24
21 Apr 2017

Pull Request for: #8957

Summary of Changes

Add htaccess und web.config files to the libaries folder that denys all direct accesses to the files in that folder

Testing Instructions

  • apply this patch
  • try to direct access the files in the lib folder like some external libs in the vendor folder

Expected result

You are not allowed to direct access that file (e.g. a 403 error message)

Actual result

In some server setups you see a error message.

Documentation Changes Required

None.

avatar zero-24 zero-24 - open - 21 Apr 2017
avatar zero-24 zero-24 - change - 21 Apr 2017
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 21 Apr 2017
Category Libraries
avatar wilsonge
wilsonge - comment - 21 Apr 2017

Is there a reason to do this to the libraries folder rather than just libraries/vendor

avatar zero-24
zero-24 - comment - 21 Apr 2017

We have also non joomla code in libraries so better save than sorry :) You should never call something in libraries from public.

avatar mbabker
mbabker - comment - 21 Apr 2017

Doing this change in the base libraries directory is going to be too intrusive to extensions which are doing terrible crap like serving web assets (CSS/JS) from the libraries directory. This also prevents them from having direct access scripts in the directory (which even though some will say the only valid entry point into a Joomla application is index.php you can still do this as long as you're taking care of all the risks involved, as in we do not forbid it).

If the intent is to merge this before 4.0 we can only protect the libraries/vendor directory in this way. Anything more would cause more backlash than it's worth.

avatar zero-24 zero-24 - change - 21 Apr 2017
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - change - 21 Apr 2017
Category Libraries External Library Libraries
avatar zero-24
zero-24 - comment - 21 Apr 2017

If the intent is to merge this before 4.0 we can only protect the libraries/vendor directory in this way. Anything more would cause more backlash than it's worth.

Done.

avatar Bakual
Bakual - comment - 21 Apr 2017

Could there be some server setups where adding a .htaccess file (or adding that option in it) would not be allowed and generate an error? Or is it safe to assume that it works on every shared hoster?

avatar zero-24
zero-24 - comment - 21 Apr 2017

@Bakual i have been told that even if it is not supported it is just ignored. So the issue is still there but we cant do much about that.

avatar brianteeman brianteeman - change - 22 Apr 2017
Title
Add htaccess und web.config files to the libaries folder
Add htaccess and web.config files to the libaries folder
avatar brianteeman brianteeman - edited - 22 Apr 2017
avatar brianteeman brianteeman - change - 22 Apr 2017
Title
Add htaccess and web.config files to the libaries folder
Add htaccess and web.config files to the libraries folder
avatar brianteeman brianteeman - edited - 22 Apr 2017
avatar wilsonge wilsonge - change - 22 Apr 2017
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2017-04-22 19:26:53
Closed_By wilsonge
Labels Added: ?
avatar wilsonge wilsonge - close - 22 Apr 2017
avatar wilsonge wilsonge - merge - 22 Apr 2017

Add a Comment

Login with GitHub to post a comment