Blocking access to some folders in Joomla 3.0

[Rouven Weßling]

Hi everyone,

we've discussed this in JSST a while ago but since this a change impacting extensions quite a bit this deserves a discussion on this list as well.

Since Joomla 1.6 (or earlier? I'm not too sure) there have been efforts to limit all client accessible files to the media directory. The patch would disallow access to certain folders that should absolutely contain nothing that should be server to the client or accessed by it. This is a sort of minimum set to not cause too many problems. Personally I'm for disallowing access to more folders but I can see that many extensions still have their assets in the same folder as their code. We could however announce that access to other folders will disappear in the future.

The second change is that it disallows directory listings. Eventually that will hopefully allow us to get rid of those damn index.html files, if not it's still a win for those that have extensions that come without index.html files.

Patch: https://github.com/realityking/joomla-cms/compare/htaccess

Your thoughts?

Best regards

Rouven

[Donald Gilbert]

+1

Prepping the system and developers for the eventual time when the only thing in the docroot will be the media/assets folder, .htaccess file, and the index.php (with all code files before the root) is a good thing. I don't see this breaking anything. 

[brian teeman]

What about those people operating on IIS or other web servers that do not support htaccess

[Thandi Nhlapo]

how do i remove a margin from my home page.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/cLG0QfpQQOIJ.
To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.

[Ove]

I agree to restrict the access to folders and to move extension assets to a common folder. However I have problem with the naming as media. I really miss a Media-folder to store extension restricted Media e.g uploaded images/video/pdf .... Why not a new folder? Some extensions store Media in the media folder. I believe assets and media should be kept apart.

folder assets -> store extensions icons, js, css .... (hopefully less used with bootstrap)
folder media -> store extensions media, generally not public
folder images -> store public media, e.g available through  the editors.

This means that the installer beside the media folder has to handle the assets folder. The handling of the media folder can probably not be removed to be backword compatible.

Regards
Ove

[Rouven Weßling]

On 05.09.2012, at 16:46, Ove <tobby.e...@gmail.com> wrote:

> I agree to restrict the access to folders and to move extension assets to a common folder. However I have problem with the naming as media. I really miss a Media-folder to store extension restricted Media e.g uploaded images/video/pdf .... Why not a new folder? Some extensions store Media in the media folder. I believe assets and media should be kept apart.

A folder for that use would be great but I wouldn't change the meaning of the existing media folder - too much depends on it.

On 05.09.2012, at 08:57, brian teeman <joom...@googlemail.com> wrote:

> What about those people operating on IIS or other web servers that do not support htaccess

I don't know enough about the IIS configuration file to do it myself - actually I don't even know if that level of control exists. Since this doesn't limit the functionality of Joomla - just one precaution missing - I don't think it's a deal breaker.

As for other web servers, AFAIK we only support IIS and Apache. With other server SEF URLs probably don't even work.

Best regards
Rouven

[Ove]

I thought you would say that. Yes it's probably to risky. But I really
need a Media folder to hook component media to. As is I by default store
them in the component folder even if it's not any preferred solution.
The user can change it in the configuration to images/xyz if he e.g. has
a single admin/editor or to any other folder. Also beeing a problem.
Using the current media folder for it, is no nice alternative since it's
about uploads also from frontend users. I could create an own folder in
the root. Good solution? No, don't think so

I suggest that Joomla with the installation adds a new mediafolder. A
future media manager could also support this path. As I'm not native
english I don't have any nice name suggestion .

Without this folder I probably get a problem with restricted access to
the components folder or a mess in other paths.

Regards
Ove

[Rouven Weßling]

On 05.09.2012, at 19:48, Ove <tobby.e...@gmail.com> wrote:

> Without this folder I probably get a problem with restricted access to the components folder or a mess in other paths.

Just to clarify, the proposed patch aims for minimal problems and doesn't include the components, modules or plugins folder. Sometime in the future it should be expanded, but I think we need to give devs enough time to get adjust for this. (Yes in theory they had since 1.6 but how many are even aware of this?)

Best regards
Rouven

[Roberto Segura]

I think that the patch is ok.

Current media folder or working extensions aren't broken.

This will not free us from index.html files as this doesn't work on IIS.

[Ofer Cohen]

> What about those people operating on IIS or other web servers that do not support htaccess

As one that used nginx I've written htaccess alternative for nginx: http://docs.joomla.org./nginx

We can just update I can assume that others will update other servers also.

--

You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/rQGNF7HzVQAJ.