Active
Project:
backup
Version:
5.x-4.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
12 Apr 2008 at 07:29 UTC
Updated:
12 Apr 2008 at 07:29 UTC
For security reasons, the .htaccess file is NEEDED to forbid access attempts on the backup directory.
In the absence of .htaccess, an anonymous user may download a backup file (which contains the entire backup of the site, modules, and database). Okay, they will have to guess at the name, but...they can download.
Anyways, I modified the code in backup.module:595 to read like this:
if ($file == "." || $file == ".." || $file == ".htaccess" )
I simply allowed the .htaccess file to be ignore.
They maybe a better solution altogether, but that what have.