Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return 403 for /console via htaccess #13492

Closed
Findus23 opened this issue Sep 27, 2018 · 6 comments
Closed

Return 403 for /console via htaccess #13492

Findus23 opened this issue Sep 27, 2018 · 6 comments
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.

Comments

@Findus23
Copy link
Member

By default, opening /console shows the PHP source, which is a bit ugly.
http://demo.matomo.org/console

The default .htaccess file should return 403 for this path.
@tsteur
Copy link
Member

tsteur commented Sep 28, 2018

Not sure but AFAIK we don't put an htaccess file into the root folder eg because users might have their own htaccess defined there. I might be wrong though.

@fdellwing
Copy link
Contributor

Couldn't we just use (PHP_SAPI !== 'cli') && die('cli only'); ? Or is the problem, that the file does not get interpreted because it has no .php ending?

@tsteur
Copy link
Member

tsteur commented Sep 28, 2018

Or is the problem, that the file does not get interpreted because it has no .php ending?

exactly. The source is public anyway though so it is not much of a problem.

@Findus23
Copy link
Member Author

Exactly, this isn't that less about security (as everyone can already knows the content), but more about not showing URLs that can be confusing to the user or appear broken.
The same could be said about all other files in the root directory (composer.json, etc.)

@fdellwing
Copy link
Contributor

Well I dont see a good method to provide a .htaccess now without breaking existing installations.

@tsteur
Copy link
Member

tsteur commented Oct 1, 2018

Personally I would close this issue. If someone is concerned about it, they can block it in their htaccess or webserver. We're not showing the URLs to users so they shouldn't get confused IMO

@mattab mattab closed this as completed Oct 10, 2018
@mattab mattab added the wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it. label Oct 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tsteur @mattab @Findus23 @fdellwing