die('No access...');
I was wondering: is it really really necessary?
I think this die at the beginning of the files make sense for files without functions or classes, so that they may output something to the client if accessed directly.
But all the source and template files are either a collection of functions or a class, so as such they cannot output anything and they cannot be used (AFAIK) without being included by a script and used somehow.
That's where my question comes from.
Re: die('No access...');
Reply #1 –
I think you are right, but I'm sure way back when that security issue was found / exploited, everything was done just since it was easier to do that then determine when or where to do it. I see that same "code" in many other packages which is kind of interesting as well.
Re: die('No access...');
Reply #2 –
I don't like it. It makes it impossible to reuse files. It is a catchall security measure.
Re: die('No access...');
Reply #3 –
Yup, that are more or less my concerns as well.
I did compare some other scripts as well, some have that code, some don't.
It may be worth considering also a mixed solution: keep the die for files that are meant to be used inside ElkArte (basically all the controllers, either admin or not and some of the files in sourcedir), while for files that are meant (or at least intended) to be reused (all the files in subs and some in sourcedir) avoid it.
Re: die('No access...');
Reply #4 –
Our web server configuration completely blocks its access to the sources folder, as well as to *.php in any subfolders, such as the themes folder. In my opinion, this should be standard practice.
The forum architecture could probably do more to encourage this sort of setup. I sure hope that it never breaks this sort of setup.
Modern, Free, Powerful