setup/lib should be protected same way as libraries

2008-11-30 12:13:30 +00:00
parent 256a90dd8c
commit 2e7ee22e45
2 changed files with 9 additions and 5 deletions
--- a/Documentation.html
+++ b/Documentation.html
@@ -298,11 +298,12 @@ chmod o-rw config.inc.php          # remove world read and write permissions
        and your databases, or a login dialog if using
        <abbr title="HyperText Transfer Protocol">HTTP</abbr> or cookie
        authentication mode.</li>
-    <li>You should deny access to the <tt>./libraries</tt> subfolder in your
-        webserver configuration. For Apache you can use supplied .htaccess file
-        in that folder, for other webservers, you should configure this yourself.
-        Such configuration prevents from possible path exposure and cross side
-        scripting vulnerabilities that might happen to be found in that code.</li>
+    <li>You should deny access to the <tt>./libraries</tt> and
+        <tt>./setup/lib</tt> subfolders in your webserver configuration. For
+        Apache you can use supplied .htaccess file in that folder, for other
+        webservers, you should configure this yourself.  Such configuration
+        prevents from possible path exposure and cross side scripting
+        vulnerabilities that might happen to be found in that code.</li>
    <li>
        It is generally good idea to protect public phpMyAdmin installation
        against access by robots as they usually can not do anything good
--- a/setup/lib/.htaccess
+++ b/setup/lib/.htaccess
@@ -0,0 +1,3 @@
+# This folder does not require access over HTTP
+# (the following directive denies access by default)
+Order allow,deny