Item9243: configure checker to test that all scripts (er, or files) in foswiki/bin are secured in htaccess or localsite
Current State: Confirmed
Released In: n/a
Target Release: n/a
Applies To: Engine
basically, we want to make sure that if an extension adds a new cgi, that the admin knows about it, and is able to make sure its secured appropriatly.
similarly, my bin has an nytprof.out file - and that should be highlighted.
- 02 Jul 2010
I was thinking about this a bit, but in many installations, bin is protected in the apache configuration, not .htaccess files. Any thoughts on how configure could actually examine the active httpd configuration? Given how few sites actually use the .htaccess files, it doesn't make sense to try to base a checker around them for the validation. I have not found any examples of a cgi script actually validating the contents of the server configuration.
I wonder if another option would be to secure all files in bin with a wildcard and then unsecure the ones that should be open. This would result in auto protection of new additions. Same for the LocalSite
.cfg variable. Deprecate the list of protected scripts and instead use a list of "open" scripts with everything else protected.
As far as validating the LocalSite
.cfg protections, this would probably make more sense in a "scenario" wizard - depending upon the type of site you run would require different list of protected scripts.
- 23 Jul 2010
Confirmed... but only partially. No idea how to determine that the web server (apache, nginx, IIS, etc) is providing proper protection.
- 24 Dec 2014