[#15540] - [4.0] Add htaccess and webconfig to the 4.0 root lib folder
- Fixed in Code Base
- 13 Aug 2017
- Medium
- Build: 4.0-dev
- # 15540
- Diff
- zero-24:htaccess_lib_folder
- Success hound No violations found. Woof! Details
- Success continuous-integration/drone/pr the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Failure continuous-integration/appveyor/pr AppVeyor build failed Details
User tests: Successful: Unsuccessful:
Summary of Changes
Add htaccess and webconfig to the 4.0 root lib folder as proposed here: #15457 (comment)
Documentation Changes Required
Lib folder is not longer be a place for things you can call.
NginX need to include that in the configuration
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries |
While I agree with the intent of this, it needs to be made very clear with this change that Joomla will by default block any web request into the libraries/ directory. This means:
- No static assets (CSS, JS, images, fonts, etc. etc.)
- No direct access scripts (yes I realize people are going to respond with "they should go through
index.phpand the Joomla app" but not every developer is so irresponsible they can't handle the things that would make most advise to go that route
On an update to j4 this will automatically replace any existing htaccess or webconfig and presumably any future updated from 4.0 to 4.0.x etc will also overwrite the file.
We can also extend the default htaccess file in the root (without explizite adding it as .htaccess to the lib folder?
Apache 2.0-2.2? really?
@C-Lodder more sites uses apache 2.0 - 2.2 than any other version https://w3techs.com/technologies/details/ws-apache/2/all
| Milestone |
Added: |
||
| Milestone |
Added: |
||
Any news here? Should we go the extend the default htaccess part (IMO can be moved to staging than) or do we stay with the current proposal?
as nginx is a supported web server what happens
Nothing as thy just ignore these files ;)
Sorry I wasnt clear. If the user is on nginx (a supported server) how are we going to offer them the same protection.
IMO there is nothing we can do about that on a CMS level. As they do not offer such a configuration file. Same applys to the SEF stuff in our root htaccess / web.config
Maybe just add it to the relevant documentation then ?
I have just included that request in the intial post. Thanks.
wilsonge
- | Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-08-13 17:22:47 |
| Closed_By | ⇒ | wilsonge |
On an update to j4 this will automatically replace any existing htaccess or webconfig and presumably any future updated from 4.0 to 4.0.x etc will also overwrite the file.