Bug #23078
Ship .htaccess with a Deny rule for *.sql
| Status: | New | Start date: | 2010-07-02 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | 4.7.0-beta3 | |||
| TYPO3 Version: | 4.7 | Complexity: | ||
| PHP Version: | 5.3 | |||
| Votes: | 0 |
Description
*.sql files can disclosure infomation, which could be helpful for attackers.
ext_tables.sql in extensions is an example.
(issue imported from #M14975)
History
Updated by Steffen Gebert over 1 year ago
- Target version deleted (
0) - TYPO3 Version changed from 4.4 to 4.7
Opinions?
Updated by Georg Ringer over 1 year ago
don't do that as there is absolutly no benefit and fare more ways to get the version of an extension.
if there is a sqlI on a website, you don't need those files anyway to get the table structure.
better would be to invest time to be able to move the ext_tables.sql inside the Resources/Private folder as there is the better way for an htaccess to block everything.
Updated by Steffen Gebert over 1 year ago
I filed this once when I googled for some TYPO3 string and ended up in a SQL dump of someone's TYPO3 installation. That's why I would say better safe than sorry..
Although they didn't link it anywhere and they created it just a few days ago, it appeared in the Google results. Of course, ext_tables.sql is a bad argument. Let's just use the vote button!
Updated by Steffen Ritter over 1 year ago
- Target version set to 4.7.0-beta2
Updated by Steffen Ritter over 1 year ago
- Target version changed from 4.7.0-beta2 to 4.7.0-beta3