Symphony.

Hi all,

I’m a front-end dev who recently requested a Symphony install on our production servers for a small corporate site. Unfortunately, our technical guy seems to have pretty serious security concerns about the system. Apparently, Symphony requires write access to the root directory in order to work and he is really not happy about it (something to do with the htaccess file I am told). I have scoured the web in search of people with similar concerns to no avail. I also stumbled across this http://forums.cnet.com/7726-6132_102-3374234.html which seems to be a fairly recent issue although it seems not related.

As you’ve probably guessed, I’m not versed in server security so I’d appreciate any information you could provide that would help me understand and resolve the problem or at least reassure my colleague.

Many thanks.

That issue that you have linked to has been resolved in Symphony 2.1.2 through a few code changes and by providing uses with the XSS Filter extension to sanitise data inputs.

Symphony only requires the access to install, not to function. The recommendation is to 777 is to prevent any permission errors that would block the installation. There is a following recommendation in the README to then change the permissions back after installation.

FYI for your technical guy, the only files written are the .htaccess, a manifest folder with 3 empty directories, tmp, logs and cache and one file config.php and finally an empty workspace folder. It is required that the manifest be writable (and readable for that manner). The .htaccess file contains rewrite rules required for Symphony to function.

During development, the workspace folder should be writable so that new Events, Datasources and Pages can be written to disk, but for a production site, these can be lock down to read only.

If you have any other concerns or queries, please ask!

Thanks Brendo! I’ll pass on this info to the techies and will get back to you if any other concerns arise.

Cheers!

As for the bugs in the CNET article, these have been patched in the current 2.1.2 release, both in the core and with the addition of an XSS extension to filter your user generated content.

Symphony only requires the access to install, not to function.

Usually I set up and develop my Symphony-sites on my local server (and don’t really care about taking the access rights after installation) and deploy it at a later stage.

During the deployment I manually create the manifest/config.php file as well as .htaccess and only give write access to tmp/, logs/ and cache/ inside manifest/.

Thanks everyone for your help. Let’s see if this does the trick ;)