On Sat, Apr 30, 2005 at 05:32:35PM +0100, Neil McGovern wrote:
> There's been a bit of discussion[0] recently on the debian-security list
> with regards to how include()ed files should be handled.
and this for the most part is a good practice. if the file does not
need to be directly accessed by web clients, it should not be underneath
the web accessible directories. that said, there are a lot of projects
in which that distinction is blurred, and in some cases it may not be
at all feasible.
i think a general guideline should be that any "include" files are
either impotent if fetched remotely (naming most php inlcude files to
end in php can often achieve this), or better, restricted from being
accessed at all via web server access controls (htaccess for apache)
or placed outside of a fetchable root[1]. this is in order of least
to most preference.
> I think that, due to the large number of packages that are webapps, a
> policy shoudl be created on how we handle these.
some time ago i wrote a rough outline of a policy[2], though there
remains much to be added to this. at the time i decided it was a bit
too much work and too broad of a subject to be tackled at once, so
i then decided to focus on the database-specific portion of it[3],
thinking that the practices, trends, tools, and development methods could
be extrapolated.
> To do this, it would be a good idea IMO to have a maining list. This has
> already been suggested[1][2], and I agree that a debian-webapp list
> should be created.
i also think such an idea would be very useful, and i would certainly
join up in said list.
sean
--
[1] prepending to php_include_path in a debian-centric config file is an easy
way to achieve this for php pages.
[2] http://people.debian.org/~seanius/policy/webapp-policy.html
[3] http://people.debian.org/~seanius/policy/dbapp-policy.html
Attachment:
signature.asc
Description: Digital signature