Should /docs folder be deleted during install or update?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
canonknipser
Registered User
Posts: 2086
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Should /docs folder be deleted during install or update?

Post by canonknipser » Thu May 09, 2019 11:23 am

Php-files are per se save, because they are interpreted on the web server and their textual content is not presented to the reader (unless your web server is misconfigured and does not interpret php files)
So, the remaining relevant files are the already mentioned two
Changelog and style.cfg

Edit: a relative simple solution would be renaming style.cfg to style.php, adding a valid php header and changing the style reader in acp do read style.php instead of style.cfg
A little more could be done by creating valid php instructions (variable assignment) instead of ini logic inside the file and including it via include syntax similar to the language files.

Another edit: placing a "phpBB-standard-subdir" .htaccess file

Code: Select all

<Files *>
	Order Allow,Deny
	Deny from All
</Files>
in every style base folder would prevent direct reading of the style.cfg via browser on apache installations; for other types of web server (nginx, IIs, ...) similar precautions can be made.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
John connor
Registered User
Posts: 2245
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Should /docs folder be deleted during install or update?

Post by John connor » Thu May 09, 2019 11:37 pm

That htacess file won't work because it will block the fetching of the whole style folder. I used this:

Code: Select all

<Files "style.cfg">  
  Order Allow,Deny
  Deny from all
</Files>

User avatar
3Di
Former Team Member
Posts: 14228
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Should /docs folder be deleted during install or update?

Post by 3Di » Fri May 10, 2019 12:11 am

Again, a potential hacker could link to some template file directly in order to see if there are bits of code that can do spot the version. ;)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
</Solidjeuh>
Registered User
Posts: 1716
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: Should /docs folder be deleted during install or update?

Post by </Solidjeuh> » Fri May 10, 2019 12:13 am

Keep a backup and f*ck those hackers :lol:

User avatar
John connor
Registered User
Posts: 2245
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Should /docs folder be deleted during install or update?

Post by John connor » Fri May 10, 2019 4:06 am

I backup and encrypt the whole thing about every two weeks to my Box.com account, Amazon S3, my computer's, local FTP, DVD/RW and Blu-ray RE. Yeah, I backup the hell of my stuff because I have worked so hard on it I never want to lose it all. And I can restore everything in about 30 minutes seen as how my current database is not very big.

But I do run a pretty tight ship. So good luck to the would be hacker or whatever. Though, not everything is "hack proof" but I think I've done a pretty decent job thus far.

User avatar
canonknipser
Registered User
Posts: 2086
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Should /docs folder be deleted during install or update?

Post by canonknipser » Fri May 10, 2019 6:38 am

John connor wrote:
Thu May 09, 2019 11:37 pm
it will block the fetching of the whole style folder
Yes, that's right - my mistake. css, js and images are fetched directly from the style folder, so they must no be protected ;)
3Di wrote:
Fri May 10, 2019 12:11 am
Again, a potential hacker could link to some template file directly in order to see if there are bits of code that can do spot the version
You can protect the html-files the same way, because they are not directly called, but rendered and stored in the cache-folder in "compiled" form. This leaves "only" css, js and images unprotected.
But of course, there are a lot of possibilities to get information or assumption about the current phpBB-version on a server
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
david63
Registered User
Posts: 16556
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Should /docs folder be deleted during install or update?

Post by david63 » Fri May 10, 2019 7:12 am

canonknipser wrote:
Fri May 10, 2019 6:38 am
You can protect the html-files the same way, because they are not directly called, but rendered and stored in the cache-folder in "compiled" form. This leaves "only" css, js and images unprotected.
You can protect files as much as you want but it will not stop somebody viewing the page source where you can, quite often, deduce which version is being used if you are familiar with phpBB
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
canonknipser
Registered User
Posts: 2086
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Should /docs folder be deleted during install or update?

Post by canonknipser » Fri May 10, 2019 8:35 am

Yes ->
canonknipser wrote:
Fri May 10, 2019 6:38 am
But of course, there are a lot of possibilities to get information or assumption about the current phpBB-version on a server
(may be I should have added the little word "other" to my statement ;) )
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
3Di
Former Team Member
Posts: 14228
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Should /docs folder be deleted during install or update?

Post by 3Di » Fri May 10, 2019 7:17 pm

[PHPBB3-13269] Move documentation from package to phpBB.com
it's already planned and on the works for 3.3 BTW. It's not a blocker as you can see.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

Post Reply

Return to “phpBB Discussion”