@Findus23 opened this Issue on September 27th 2018 Member

By default, opening /console shows the PHP source, which is a bit ugly.
http://demo.matomo.org/console

The default .htaccess file should return 403 for this path.

@tsteur commented on September 28th 2018 Member

Not sure but AFAIK we don't put an htaccess file into the root folder eg because users might have their own htaccess defined there. I might be wrong though.

@fdellwing commented on September 28th 2018 Contributor

Couldn't we just use (PHP_SAPI !== 'cli') && die('cli only'); ? Or is the problem, that the file does not get interpreted because it has no .php ending?

@tsteur commented on September 28th 2018 Member

Or is the problem, that the file does not get interpreted because it has no .php ending?

exactly. The source is public anyway though so it is not much of a problem.

@Findus23 commented on September 29th 2018 Member

Exactly, this isn't that less about security (as everyone can already knows the content), but more about not showing URLs that can be confusing to the user or appear broken.
The same could be said about all other files in the root directory (composer.json, etc.)

@fdellwing commented on September 29th 2018 Contributor

Well I dont see a good method to provide a .htaccess now without breaking existing installations.

@tsteur commented on October 1st 2018 Member

Personally I would close this issue. If someone is concerned about it, they can block it in their htaccess or webserver. We're not showing the URLs to users so they shouldn't get confused IMO

This Issue was closed on October 10th 2018
Powered by GitHub Issue Mirror