User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Prevent direct access to the administrator/cache and administrator/logs folder
It should never be directly accessed and it may contain sensitive data
This is only for apache web servers
use your web browser to access the following urls
/administrator/logs
/administrator/cache
empty page
403 denied
Please select:
Documentation link for docs.joomla.org:
No documentation changes for docs.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed
Status | New | ⇒ | Pending |
Category | ⇒ | Administration |
Labels |
Added:
?
|
Makes sense to me but we should also drop a web.config file in to match like we have in libraries https://github.com/joomla/joomla-cms/blob/4.2-dev/libraries/web.config
Makes sense to me but we should also drop a web.config file in to match like we have in libraries https://github.com/joomla/joomla-cms/blob/4.2-dev/libraries/web.config
dam I missed that file - updating now
When generating the assembly, directory administrator\logs
is missing. I don’t know, perhaps this is how it was intended, but in this particular case, new 2 files do not get into the log directory when installing the assembly.
In addition, maybe now we will remove the junk index.html
from these directories?
And 1 more bug. Install the assembly, enable standard caching in the general settings. Surf the site (create a cache). Go to clearing the cache, but at the same time keep an eye on the administrator\cache
directory - when the cache is completely cleared, new files remain in place, but when clearing the OBSOLETE cache, I delete the new file web.config
.
Site on Apache. I assume that the opposite file (???) will be deleted on another server.
Isnt that file deleted once you hit manually clean cache?
As mentiond by @Kostelano
but when clearing the OBSOLETE cache, I delete the new file web.config.
grrh
Status | Pending | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-10-18 10:22:44 |
Closed_By | ⇒ | brianteeman |
Prevent direct access to the administrator/cache and administrator/logs folder
Why not restrict this patch to just the administrator/logs folder?
Why not restrict this patch to just the administrator/logs folder?
Theoretically (not sure) this can also be a problem, similar to clearing the cache folder. There is a parameter that is responsible for the frequency of cleaning the log folder. Honestly, I did not try to see how he does it, but this point is also worth checking.
I have tested this item✅ successfully on 2216cf2
Web Server Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.1.10
No code review
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/38985.