XOOPS_TRUST_PATH

Date 2006-05-14 05:21:28 | Category: XOOPS
in englishin japanese
XOOPS_TRUST_PATH is an important concept not only for D3 but also for the security of XOOPS.

"XOOPS_TRUST_PATH" is a constant defined in mainfile.php.


define('XOOPS_TRUST_PATH','/home/yourhome/xoops_trust_path');


Note that the directory should be out of DocumentRoot of your httpd.

Generally, php files but "entrance" should be placed out of DocumentRoot.
If php files for included from some other php files is accessable directly, it might be security holes.

The worst example is Agenda-X.
This vulnerability cause a server in sourceforge.jp down.

Of course, I put .htaccess some folders for denying direct access.
But there are many servers enable to put .htaccess.

Thus I suggest a constant XOOPS_TRUST_PATH specifying the path of file tree out of DocumentRoot.

This is my plan.

- html (inside DocumentRoot)
---- kernel
---- class
---- include
---- modules
-------- forum   (D3 module instantce. you can name it as you like)
---- templates_c (deprecated)
---- cache (deprecated)
---- uploads    (avatar, smiley, ranks etc.)

- xoops_trust_path (out of DocumentRoot)
---- modules
-------- d3forum   (D3 module class)
---- uploads    (attachments etc.)
---- wraps      (wraps module use it)
---- templates_c
---- cache
---- fullcache  (FCH use it)


XOOPS_TRUST_PATH is named by minahito.
I feel this name "TRUST" sounds good for the concept.


You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=101