Hi! > > Maybe we should use the .php extension for all config files? Even if > > they aren't PHP sourcefiles? This way their contents could be > > protected by a line like this on top: > > > > # <?php exit()?> > > > > Anyone wants to supply a patch? > > Ok, as I need it, I'll give it a try. I've looked at it. Before going > ahead, I would appreciate a review of the work spec proposal: > > - minimal effort - only truly sensitive files will be "scriptified". Okay, makes sense to me > - The sensitive files are in subdir conf: acl.auth and user.auth. They > will be renamed to acl.php and user.php. correct. Or should they be named acl.conf.php and user.conf.php ? > - Distribution versions (.dist) will be provided by renaming the > existing ones and inserting the php exit hack. fine > - The renaming can be propagated in the source code with a > 'darcs replace' command. I never used it, but that should work. > - No changes to the parsing and handling of the files will be > required, as the php exit hack is embedded in a script comment. correct > - Automatic upgrade feature: in the init.php file, a provision will > be added to upgrade existing installations automatically. Existing > acl.auth and user.auth files will be copied to a php version with > the php exit hack. Sounds good but may have some permission problems if the directory isn't writable and the new files can't be created. Andi