[Pmwiki-users] Re: Re: Safer .php-files
Christian Ridderström
chr
Sun Feb 29 06:37:44 CST 2004
On Fri, 27 Feb 2004, Patrick R. Michaud wrote:
> > Could someone comment on the risk of showing the contents of the php
> > file? I.e., why do an exit() instead of showing the file?
>
> Specifically, local/config.php often contains site-wide passwords,
> sometimes in cleartext depending on how the administrator has entered
> them. :-)
If you do that *and* want them to see your local/config.php, then you're
on your own :-)
> If you want to show the .php files, I suggest symlinking them into pub
> somewhere and putting an AddType directive or equivalent.
Unfortunately, the webserver I'm using refuses to follow symlinks.
> > Your server might not be configured to do so, but copying/linking them
> > to a file with the ending .phps will show them syntax highlighted.
No, this (copying) doesn't show the file with syntax highlighting (it
does show the contents though).
> Now *this* is useful, I wasn't aware of this option! Now I've just added
> the line
>
> AddType application/x-httpd-php-source .php
>
> to .htaccess files in my pub/ and upload/ directories and now .php files
> are displayed with syntax highlighting.
This doesn't work on my webserver either (I copied the text to a .htaccess
in pub/, but it still executes the .php -file).
> One could possibly also do:
>
> <?php
> if (!defined('PmWiki'))
> { highlight_file($_SERVER['SCRIPT_FILENAME']); exit(); }
> ...
> ?>
This works nicely though. Except Balu said something about being able to
fiddle with $_SERVER['SCRIPT_FILENAME'] IIRC...
/Christian
--
Christian Ridderstr?m http://www.md.kth.se/~chr
More information about the pmwiki-users
mailing list