Andreas Gohr wrote:
Hi!
Maybe we should use the .php extension for all config files? Even if they aren't PHP sourcefiles? This way their contents could be protected by a line like this on top:
# <?php exit()?>
Anyone wants to supply a patch?
Ok, as I need it, I'll give it a try. I've looked at it. Before going ahead, I would appreciate a review of the work spec proposal:
- minimal effort - only truly sensitive files will be "scriptified".
Okay, makes sense to me
- The sensitive files are in subdir conf: acl.auth and user.auth. They will be renamed to acl.php and user.php.
correct. Or should they be named acl.conf.php and user.conf.php ?
Assuming you mean acl.auth.php and users.auth.php (?), that may indeed be clearer.
- Distribution versions (.dist) will be provided by renaming the existing ones and inserting the php exit hack.
fine
- The renaming can be propagated in the source code with a 'darcs replace' command.
I never used it, but that should work.
- No changes to the parsing and handling of the files will be required, as the php exit hack is embedded in a script comment.
correct
- Automatic upgrade feature: in the init.php file, a provision will be added to upgrade existing installations automatically. Existing acl.auth and user.auth files will be copied to a php version with the php exit hack.
Sounds good but may have some permission problems if the directory isn't writable and the new files can't be created.
In such a case we should bail out, as is done now e.g. if users.auth is not writable.
Jan
-- Jan Decaluwe - Resources bvba - http://jandecaluwe.com Losbergenlaan 16, B-3010 Leuven, Belgium Using Python as a hardware description language: http://jandecaluwe.com/Tools/MyHDL/Overview.html -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist