[dev] .inc files

Anil Madhavapeddy anil@recoil.org
Sun, 25 Nov 2001 14:01:44 +0000


On Fri, Nov 23, 2001 at 08:35:26PM -0500, Jon Parise wrote:
> Also along the lines of templates, we should rename all of the
> .inc files to .php files.  That way, they'll be uniform, and we
> won't have to worry about .inc files not being parsed by the web
> server.
> 

Why?  I thought we had this debate a while back, and concluded
that they should be ".inc" files exactly because they shouldn't
be parsed by the web server.

I think that _only_ files which are meant to be executed by
the web-server should end in .php, to prevent rogue code fragments
being executed by someone who runs the template file directly.

With this argument, Horde library files should probably end
in .lib, but since they are all wrapped up in classes, there
is very little a remote attacker can do by executing them 
directly, so it doesn't matter.

And yes, everyone should be restricting access to templates/
by .htaccess files or other mechanisms, but I bet many people
dont :)

Anil