Details
-
Bug
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
3.2.8
-
None
Description
The documentation at https://www.phpbb.com/community/docs/INSTALL.html#webserver_configuration says that "For Apache there are .htaccess files already in place to do this for the most sensitive files and folders. We do however recommend to completely deny all access to the aforementioned folders and their respective subfolders in your Apache configuration."
There are no caveats given for "do not do this unless", so there is no indication that Apache configuration for these additional directories was intentionally omitted "because it doesn't work for everyone."
So if phpBB already contains .htaccess files to block various directories (/cache, /images/avatars/upload, /store, /files, etc.), and phpBB "recommends" that these other folders be blocked too, why isn't phpBB including .htaccess files in those folders too?
The sample NGINX configuration phpBB ships with blocks these folders, but the Apache configuration phpBB ships with does not. It seems like this is unnecessarily "documented" and simply should have been "done".
Meaning add the /vendor/.htaccess and /phpbb/.htaccess to the phpBB distribution, so that on Apache access to these folders will be blocked from HTTP requests.
Does anyone have any history on why they were omitted? And why does the documentation cited describe using the Apache .conf file to block access to these folders, rather than blocking access using the .htaccess file as in the case of the other folders that phpBB ships with Apache configuration for?