[horde] horde interapplication conflicts

Rich Lafferty rich at horde.org
Sun Feb 18 14:22:31 PST 2001


On Sun, Feb 18, 2001 at 09:21:19PM +0100, Nico Galoppo (scratch at ace.ulyssis.org) wrote:
> 
> > > Are you sure that it's safe to put all the horde code in a publically
> > > accessible webdir, security-wise?
> > 
> > Well, it's all *intended* to be executed. Anything that executes *and*
> > does something needs the user to be logged in; anything that just
> > loads up a bunch of variables or functions can happily do so then exit
> > without any side effects at all.
> > 
> > (Since you tell your webserver to hand ".php" files to the PHP
> > interpreter, it's not like they'll be displayed or anything.)
> 
> True, but then there's the ".inc" files. I'm playing the devil's
> advocate here. Ofcourse you could tell the webserver not to show
> them,

Yes, that's the idea, since at least one will have your database
authentication information in it.

> and/or never put any confidential stuff in there, but I prefer the
> approach of putting everything that's code outside the public tree as a
> general rule.

I don't understand -- all of Horde and IMP, graphics notwithstanding,
are code. That's the idea behind PHP.

  -Rich

-- 
------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Instructional and Information Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich at alcor.concordia.ca ----------------------




More information about the horde mailing list