Anthony DiPierro wrote:
It's not a very good design, security-wise, for
included php files to be
within the web document root. See
http://meta.wikimedia.org/wiki/Documentation:Security#Alternate_file_layout.
That said, this situation alone does not seem to be an exploitable security
problem.
Personally I've moved all the included files outside the document root.
So do we, as it's easier to manage the files this way (particularly
multiple versions during an upgrade transition).
In your public-facing dir you'll want a copy of any external-facing
files (skin bits etc) and wrappers to index.php etc which call to
whereever you've kept your local script files.
Everything in the web root is a simple way to package it for third-party
users, but you don't have to run it that way. (Unless you're on some
piece of crap provider that doesn't include any space outside the web root.)
-- brion vibber (brion @
pobox.com)