search

PetaByet / cdp

Simple & Open Source Server Backups
https://cdp.me
GNU General Public License v2.0
122 stars 39 forks source link

Better Individual File Security #20

Closed AlbinoGeek closed 9 years ago

AlbinoGeek commented 9 years ago

It doesn't really matter if someone goes directly to your config.php file, as it should never "echo" anything out to the page. However, if you must deny access to files such as this being viewed directly, consider doing this better as such:

In index.php (or the normal entry points):

define('CDP', true);

In files you want to deny direct access to:

if (!defined('CDP'))
  exit; // Show a 403 here?

You should not wrap your entire script in an if, just bail out!

PetaByet commented 9 years ago

Pushed an update.

alexandreteles commented 9 years ago

Actually the entire code isn't wrapped in a if. We are using the get_included_files() function to test if the file is being included or directly accessed and showing a 404 error if the file is being viewed directly.

The commit that has introduced this function is mine and I was using this approach on another project, so just used the snippet that I already have on the code editor. Both ways work well.

PetaByet commented 9 years ago

It was wrapped in an if checking the file access constant.

alexandreteles commented 9 years ago

Yeah, you are right. This one wasn't my fault :smile: