search

black-studio / black-studio-tinymce-widget

Black Studio TinyMCE Widget plugin for WordPress
https://wordpress.org/plugins/black-studio-tinymce-widget/
GNU General Public License v3.0
22 stars 13 forks source link

Security update #40

Closed ramiy closed 7 years ago

ramiy commented 8 years ago

Prevent direct access to directories

cfoellmann commented 8 years ago

Some do this so do not do it. I am really feeling ambivalent about this practice. I have done it in the past but it should not be required on properly configured WP installs. Today it is also the default not to display folder content.

I am not sure this would count for an addition to the contributor list on wp.org

ramiy commented 8 years ago

I had client that displayed folder content. Since then I add those files to all plugins.

And from a security point of view, you can't assume that the folder don't display the content.

marcochiesi commented 8 years ago

Hi ramiy, thanks for your contribution, but I think it needs a deeper discussion. Personally I don't believe in "Security through obscurity" and I think that preventing direct access to folders should be addressed by sysadmins and not by plugin developers (I also work as sysadmin). There's an interesting discussion about this topic on Stack Exchange, and I personally agree with this opinion (which is also the most voted actually). Good arguments about this are that those files affect performance and moreover exploit scanners don't need to request directory listings as they could check directly for vulnerabilities.

Anyway, since we are talking about a WordPress plugin, I think it would be important to follow WordPress guidelines and standards. As far as I know WordPress official documentation does not states anything official about this topic in the Writing a Plugin guide nor in the Hardening WordPress page. WordPress core itself only uses index.php files for a few folders (wp-content, wp-content/plugins and wp-content/themes) and not for every single folder of the tree, so I believe it would be far excessive to put a file in every single folder of a plugin.

I took a look at WordPress Featured plugins, which could be considered "almost" official since they're provided or sponsored by Automattic:

So it looks like the most common trend is not to use index.php files.

Of course I'll be ready to include index.php files in our plugin if WordPress core team will officially state that it's a best practice, or if the general trend will be the inclusion directly on plugins. Until then I would recommend to address this issue at server-level or use the Silence is Golden Guard plugin.