Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Security in my app classes etc..
  • #Phil F#Phil F
    Hi, Bit of a poll type question... Am I being overly cautious by adding
    if(!defined('APPPATH')) exit('No direct script access allowed');

    to all of my files?
  • PaulboCoPaulboCo
    Phil Foulston wrote on Saturday 9th of April 2011:
    Hi,
    Bit of a poll type question...
    Am I being overly cautious by adding 
    if(!defined('APPPATH')) exit('No direct script access allowed');
    to all of my files?
    You would only need to do that if you place the fuel directory inside the document root. In my opinion, that is never a good practice.
  • daGrevisdaGrevis
    Take a look at this for more info... I asked about it myself, just in Kohana forums.
  • #Phil F#Phil F
    Hi, I am not just talking about controllers which are classes so just a blank page is displayed I am also asking in relation to views etc... PaulboCo - I would agree with you in an ideal world where we could control how the application is deployed but we can't. A customer who purchased an application from us may decide to deploy it in a subfolder or subdomain. daGrevis - Thanks for the info. Basically they are saying that the framework should encourage this to accommodate a deployment to an incorrectly configured server or god forbid everything into the public folder (due to not knowing any different. Remember not everyone is a web developer). That is the reason for my question and based on this should all of the fuel files be altered to accommodate this security measure? I am just asking due to using codeigniter for so long and then seeing that this code doesn't exist in Fuel. Phil.
  • Jelmer SchreuderJelmer Schreuder
    When uploading an application you do it either outside your webroot, or (when that's impossible) you use a .htaccess file to disallow http access to the files in the fuel directory. When no such option or similar option is available you have to wonder if this isn't a host that should be dropped and you should tell your client that. The protection the line you mentioned gives is a very limited one, it could do but is never as good as disallowing access in the first place. There's 2 possible scenarios:
    1. Direct access to the file through the Url: in many cases this will just define the class but nothing else will happen, only in files which contain any procedural code would the defined check add something.
    2. Access by including your file: THIS SHOULD NEVER EVER HAPPEN. Once someone has that kind of access your problems are far bigger, and checking if a known constant exists adds no security at all.
  • #Phil F#Phil F
    Ok Think of a product like Pyrocms for example where we never see or get involved in the installation. I do happen to agree though in that it should not be our responsibility when it comes to server security or even how the customer decides to install our Fuel apps. I look forward to the questions "What do you mean install everything behind web root except for the public folder which should be installed in to your web root?". Note to self: Must think of a better way to explain this lol... Phil.
  • ianian
    Well Phil F, here's one of those "what do you mean?" questions. Not really, I know what you mean because I started separating the system from the app in codeigniter for security and for using the same system folder to run multiple apps. But, in the beginner fuelphp tutorials I've seen so far and every one I've seen for CI and Kohana, they start by telling you to install the whole thing to your www root directory. Maybe explaining how to install it outside the root directory should be the first step in every beginner tutorial since putting it in the root is such a no-no. I found this article because I was wondering the same thing about the missing constant check like in CI and Kohana. I know there is the htaccess "deny from all" that comes already set up in the fuel directory but was wondering about what would happen if there is a problem with htaccess not working. Even if it's not necessary, I'm wondering if it would be overkill or proactive security thinking to go ahead and put it in anyway. While there's a lot I don't know about security and how the fuel framework works, I tend to think that paranoia is good security practice.
  • HarroHarro
    It's not going to be easy to explain how to install outside the docroot, as that would require knowledge of the server environment, which is different for everyone. I my case, Fuel lives in /data/fuel/1.0, /data/fuel/1.1 and /data/fuel/develop (for the moment), so I have both core and packages in multiple versions online. My docroots are in /data/www/<hostname>. Via de index.php settings I can select the Fuel version I want. I have a similar system setup for modules. My guess is that your setup is quite different... ;)
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion