Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-16213

Vendor and phpbb folders do not have .htaccess files



    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 3.2.8
    • None
    • Other


      The documentation at https://www.phpbb.com/community/docs/INSTALL.html#webserver_configuration says that "For Apache there are .htaccess files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration."

      There are no caveats given for "do not do this unless", so there is no indication that Apache configuration for these additional directories was intentionally omitted "because it doesn't work for everyone."

      So if phpBB already contains .htaccess files to block various directories (/cache, /images/avatars/upload, /store, /files, etc.), and phpBB "recommends" that these other folders be blocked too, why isn't phpBB including .htaccess files in those folders too?

      The sample NGINX configuration phpBB ships with blocks these folders, but the Apache configuration phpBB ships with does not.  It seems like this is unnecessarily "documented" and simply should have been "done".

      Meaning add the /vendor/.htaccess and /phpbb/.htaccess to the phpBB distribution, so that on Apache access to these folders will be blocked from HTTP requests.

      Does anyone have any history on why they were omitted?  And why does the documentation cited describe using the Apache .conf file to block access to these folders, rather than blocking access using the .htaccess file as in the case of the other folders that phpBB ships with Apache configuration for?




            Unassigned Unassigned
            EA117 EA117
            0 Vote for this issue
            1 Start watching this issue