“(2.0.7) Cannot load files via HTTP from manifest/cache (breaking markItUp extension)” – Issues – Discuss

4 users online. Create an account or sign in to join them.Users

(2.0.7) Cannot load files via HTTP from manifest/cache (breaking markItUp extension)

A for , submitted by nickdunn on 06 January 2010

Announcement

Symphony's issue tracker has been moved to Github.

Issues are displayed here for reference only and cannot be created or edited.

Browse

Closed#202: (2.0.7) Cannot load files via HTTP from manifest/cache (breaking markItUp extension)

- nickdunn
- Comment #1
- 06 Jan 10, 7:06 pm

2.0.7 introduces an .htaccess file in the /manifest with the line:

deny from all

I presume this is for security to ensure no configuration or cache files are ever opened, no matter how your server is configured.

Only, the markItUp extension writes its own files to the cache and serves these via HTTP to build the editor.

Can the deny rule be relaxed for the cache folder? It’s likely other extensions might be using this method too.

- rainerborene
- Comment #2
- 07 Jan 10, 2:44 am

Please, remove that .htaccess from /manifest. Let’s think another solution for this problem!

- rainerborene
- Comment #3
- 07 Jan 10, 2:54 am

Is it possible to make config.php unaccessible using the main .htaccess?

- nickdunn
- Comment #4
- 07 Jan 10, 3:19 am

I think htaccess is the best solution for the problem (it’s exactly what htaccess is there for) however I think the rule needs updating. Directory or DirectoryMatch rules could be added for the cache folder.

- Alistair
- Comment #5
- 11 Jan 10, 9:11 am

Directory or DirectoryMatch rules could be added for the cache folder.

I think that’s a good idea.

- Alistair
- Comment #6
- 11 Jan 10, 9:51 am

I dont think it is possible to use DirectoryMatch or Directory in .htaccess. Not really sure at this stage what the best setup is.

- rainerborene
- Comment #7
- 13 Jan 10, 6:27 am

@Alistair In this case, I suggest to change index.php directly.

define('DOCROOT', rtrim(dirname(__FILE__), '\/'));
define('DOMAIN', rtrim(rtrim($_SERVER['HTTP_HOST'], '\/') . dirname($_SERVER['PHP_SELF']), '\/'));
define('CONFIG', DOCROOT . '/../config.php'); ## Here is the secret..

require(DOCROOT . '/symphony/lib/boot/bundle.php');

function renderer($mode='frontend'){
    require_once(CORE . "/class.{$mode}.php");
    return ($mode == 'administration' ? Administration::instance() : Frontend::instance());
}

$renderer = (isset($_GET['mode']) ? strtolower($_GET['mode']) : 'frontend');
$output = renderer($renderer)->display(getCurrentPage());

header(sprintf('Content-Length: %d', strlen($output)));
echo $output;

exit();

What do you think?

- Alistair
- Comment #8
- 18 Jan 10, 8:32 am

@Alistair In this case, I suggest to change index.php directly.

I assume you mean to put the config outside the public folder. 2 problems with this approach.

Not all web hosts let you do that
It means the index.php file must change based on where you put the config.php file.

Perhaps the default install has a .htaccess with a FilesMatch rule denying access to the config file, but not worrying about anything else.

<FilesMatch "^config.php$">
    deny from all
</FilesMatch>

We could write a tutorial/article on hardening up a Symphony installation, which could cover moving the config.php.

- Alistair
- Comment #9
- 20 Jan 10, 12:33 pm

I have decided to remove the manifest/.htaccess file altogether. Post-2.0.7 I shall write an article on how to harden up a Symphony install, and this will include the creation of a .htacess in the manifest folder.

- Alistair
- Comment #10
- 20 Jan 10, 12:52 pm

I should add, those having problems with the “deny from all”, feel free to delete manifest/.htaccess.

This issue is closed.

Symphony.