+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: .htaccess warning (/showthread.php?tid=25389)
.htaccess warning - El Forum - 12-10-2009
[eluser]Unknown[/eluser]
Hey guys,
I've just found huge security bug in my server config.
In /var/www/mysite I have folder named (lets say) "zzz" and folder named "zzzcache". "zzz" is a parent of "zzz/images" "zzz/css" "zzz/js" etc. - it should be public. "zzzcache" is for cache (user by my own CI cache library) where I keep things like user data - it should be private.
So, .htaccess configuration (based on this from CI user guide) was:
Code:
RewriteEngine on
RewriteCond $1 !^(index\.php|zzz)
RewriteRule ^(.*)$ /index.php/$1 [L]Looks good, right?
Well.. it is wrong. There is a web access to zzzcache :/
Correct .htaccess file looks like this:
Code:
RewriteEngine on
RewriteCond $1 !^(index\.php|zzz/)
RewriteRule ^(.*)$ /index.php/$1 [L]Code:
RewriteEngine on
RewriteCond $1 !^(index\.php|images|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]To:
Code:
RewriteEngine on
RewriteCond $1 !^(index\.php|images/|robots\.txt)
RewriteRule ^(.*)$ /index.php/$1 [L]Or even:
Code:
RewriteEngine on
RewriteCond $1 !^(index\.php/|images/|robots\.txt/)
RewriteRule ^(.*)$ /index.php/$1 [L]ps.
I know it was stupid thing to have o+r on cache files.. but, I still think that default .htaccess from user_guide is confusing.