View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0023211 | mantisbt | security | public | 2017-08-11 09:14 | 2017-10-14 14:11 |
Reporter | hloehnert | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | assigned | Resolution | open | ||
Summary | 0023211: Warning regarding admin-folder, even if access is restricted | ||||
Description | With commit But if I restrict the access to it with an .htaccess-file, I still get this warning. So I think the warning is not correct. | ||||
Steps To Reproduce | add .htaccess file to admin-folder:
| ||||
Tags | No tags attached. | ||||
Could you try if restricting access by removing permissions on operating system level works? |
|
By removing permission on operating system the warning is gone. In my installation the web-server is running on a LINUX-machine and the MANTIS-application is actually located on a mounted WINDOWS-folder. |
|
I don't think so, as the message Furthermore keep security in mind.
Just out of curiosity, what's the advantage of that? |
|
Reminder sent to: dregad Maybe just reword the message? |
|
This code was really written based on the admin guide's instructions, i.e. deleting the directory; I also tested by removing read/execute access to it, but didn't consider .htaccess restrictions. As workaround you can disable admin checks I need to check what can be done to detect .htaccess restrictions. |
|
Probably better to try and check for accessibility from a web server instead of filesystem point of view. @hloehnert can you try like this ? (note, I did not actually test this)
As a side note, this has the added benefit that the schema-based admin checks are executed, which is not possible when access is disabled at the filesystem level. |
|
I wrote nonsense, as I wasn't aware at that moment that we are talking about login_page.php but not the content in admin folder itself. |
|
Please ignore 0023211:0057443 - it does not work. I'll try to come up with a different approach. |
|
See PR https://github.com/mantisbt/mantisbt/pull/1151, that seems to work with .htaccess AFAICT, but I need to do some more testing. Please test on your end, and let me know your feedback. |
|
I use SSL with a self-signed certificate.
My development-environment is on windows, the app itself is running on a virtual-machine with linux. |
|
So we are talking about a development-environment with your own config_inc.php. @dregad do you still see the need to change anything more than just enhancing the warning message? |
|
Basically yes - but I want to keep the committed files in sync with the production environment as much as possible and want my development-environment behave the same like the production one. And as @dregad mentioned, the solution with a check from a web-server point of view has a benefit:
|
|
Additional to my previous note: |
|
@hloehnert what you might need is some kind of deployment pipeline.
That's what I'm doing for best performance when going from Test to Production, set There are some more reasons to have own versions of config_inc.php during development, test and production. |
|
I agree, but the productive-relevant settings in config_inc.php are not explicitly separated from the debug/log-relevant settings. A solution I think about now, is to work with |
|
Might help, not sure you are aware that there is already a similar special handling for localhost |
|
This assumes I run my browser on 'localhost', what I actual don't do. My server is a pure server-installation without a graphical user interface. |
|
@hloehnert 0023211:0057471 was just a hint for an example how to implement server dependant configuration. |
|