Download & Extend
Boost » Issues

cache folder should not be placed in document root

Posted by jleinenbach on August 27, 2010 at 12:09pm
Project:Boost
Version:7.x-1.x-dev
Component:Caching logic
Category:feature request
Priority:normal
Assigned:jleinenbach
Status:postponed
Issue tags:2.0

Issue Summary

According to the /projects/security-review module:
"It is dangerous to allow the web server to write to files inside the document root of your server."

My suggestion is to place the cache folder in the same directory as the files folder - and it should be hidden, so that there's no more warning by the security-review module:

admin/settings/performance/boost ->
Boost directories and file extensions -> Cache Dir:

sites/all/.cache

This resolved all the warnings of the security-review module.

Login or register to post comments

Comments

#1

Posted by mikeytown2 on August 27, 2010 at 5:15pm

Boost doesn't write to the document root. It writes to the cache folder. It is, in short another files directory.

Placing the cache dir in the files dir will make boost not multisite compatible due to the htaccess rules.
http://api.drupal.org/api/function/file_directory_path/6

In general the security review module is correct; But boost is a special case where its not, due to the way it interacts with Apache & how it writes to the cache directory.

#2

Posted by jleinenbach on August 29, 2010 at 2:38am

The standard cache folder is a writable folder placed in the document root.
As you can see above, I didn't place the cache dir in the files directory.
Instead, it's placed in the sites/all directory path, next to another files directory, but not inside - as it is another files directory - as you say.

#3

Posted by mikeytown2 on August 29, 2010 at 5:01am

something to consider for 2.x boost series.

#4

Posted by AlexisWilke on August 29, 2010 at 11:19pm

If you are to do that, I would suggest you move the folder to sites/boost/* and not sites/all. sites/all is expected (by me!) to be read-only.

sites/boost/files could be another one too. That way I could have a boost website that has a higher level of authority in the boost world... With a protection by IP to access that website, then I'd be able to go there but not hackers.

#5

Posted by bgm on February 28, 2012 at 4:06am
Version:6.x-1.x-dev» 7.x-1.x-dev
Status:active» postponed

For 7.x-1.x, I wrote a short handbook page.

I don't consider this rather low priority, since you can easily change the directory. (+ I agree with the comment in #1)

nobody click here