.htaccess in the backup directory is not allowed
lgammo - April 12, 2008 - 07:29
| Project: | backup |
| Version: | 5.x-4.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
For security reasons, the .htaccess file is NEEDED to forbid access attempts on the backup directory.
In the absence of .htaccess, an anonymous user may download a backup file (which contains the entire backup of the site, modules, and database). Okay, they will have to guess at the name, but...they can download.
Anyways, I modified the code in backup.module:595 to read like this:
if ($file == "." || $file == ".." || $file == ".htaccess" )
I simply allowed the .htaccess file to be ignore.
They maybe a better solution altogether, but that what have.