search

danpros / htmly

Simple and fast databaseless PHP blogging platform, and Flat-File CMS
https://www.htmly.com
GNU General Public License v2.0
1.01k stars 258 forks source link

[FEATURE REQUEST] Plz add version number on footer #766

Closed vvcares closed 1 month ago

vvcares commented 1 month ago

Plz add version number on footer

danpros commented 1 month ago

Hello,

We already have it in source so we do not need that:

<meta name="generator" content="HTMLy v2.9.8" />

Imagine Powered by HTMLy 3.0.0. If you want to add version number simply edit your layout.html.php and add it there.

KuJoe commented 1 month ago

I can't really think of a benefit for having the version number publicly listed. Most of the time bots use that to automate attacks and spam based on exploits in specific versions.

Any specific reason to need to see the version number on the screen anywhere besides the /admin/update page?

danpros commented 1 month ago

@KuJoe In the past I always used it for debugging only, like after update etc. also sometimes people ask me directly via email why X not working etc. they drop the link, I am viewing the source, ask them to update to latest version.

In the future we should have an options to disable the version tag, like how Nginx, Apache handle it.

vvcares commented 1 month ago

Having the version number on public META tag is a welcome gift for hackers. But having version tag on ADMIN FOOTER / ADMIN HEADER (privately) is deve matters. If a hacker able to access until ADMIN page, means the deve can goto sleep instead. :-)

KuJoe commented 1 month ago

@KuJoe In the past I always used it for debugging only, like after update etc. also sometimes people ask me directly via email why X not working etc. they drop the link, I am viewing the source, ask them to update to latest version.

In the future we should have an options to disable the version tag, like how Nginx, Apache handle it.

What if instead of having it in the source code we added something like a /debug page and have it excluded in robots.txt so it's not indexed by search engines but it can still be manually pulled for troubleshooting? We can include other info there if needed like checks to make sure the proper PHP modules are loaded and such?

Nevermind, you can always check /cache/installedVersion.json for the installed version.

Having the version number on public META tag is a welcome gift for hackers. But having version tag on ADMIN FOOTER / ADMIN HEADER (privately) is deve matters. If a hacker able to access until ADMIN page, means the deve can goto sleep instead. :-)

This would be easy enough to do and I've gone looking for it in the past also, I'll try to get that added soon.

danpros commented 1 month ago

@vvcares I am very confident with htmly security actually (as long as we use strong password). Like nginx or apache, just because the default behavior they exposing the version tag it doesn't mean nginx or apache is insecure.

Like I stated previously we should allow blog owner to choose to display the version tag or not.

@KuJoe its generated from function head_contents(). Every time we visited admin/update page, the update.html.php will rewrite/create installedVersion.json (needed for hub-updater), the value is from index.php define('HTMLY_VERSION', 'v2.9.8');

So after we check the version we can delete those file to remove trace about version number.