Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

By default Allow all access in .htaccess #533

Closed
airbone42 opened this issue Mar 22, 2014 · 7 comments
Closed

By default Allow all access in .htaccess #533

airbone42 opened this issue Mar 22, 2014 · 7 comments
Assignees
@verklov

Comments

@airbone42
Copy link

That's already very dangerous in Magento 1, so is there a chance that this will be changed?

Usually we set Allow/Deny-permissions by settings in the Apache-config, but this is totally overwritten by default in Magento and enables everyone to access the page, even if the server is just thought to be a staging server.

What's the reason for that?
@Wealth39
Copy link

Leave a comment

@verklov verklov self-assigned this Apr 1, 2014
@verklov
Copy link
Contributor

verklov commented Apr 2, 2014

@airbone42, thank you for your question! The team will investigate on the issue. We will get back to you once we have an answer to share with you.

@verklov
Copy link
Contributor

verklov commented Apr 24, 2014

@airbone42, I just received the results of review for this issue. Below is the response:

As you can see from /.htaccess and /pub/.htaccess, by default we have the following configuration:

############################################
## By default allow all access

    Order allow,deny
    Allow from all

However, in Magento 2, we recommend setting DocumentRoot to the pub directory. Such manipulation will prevent direct access to Magento files from the web.

We cannot accept the proposed change as the default configuration we use is the same default configuration for the web server, which is a recommended setting.

We are closing this issue.

@verklov verklov closed this as completed Apr 24, 2014
@airbone42
Copy link
Author

HI @verklov,

thanks for the feedback. You're right it's the default configuration, especially because of that there's no sense in setting it again in the .htaccess file. But as soon as you change that configuration in Apache Magento will now override it again by this .htaccess file!

So if you want to protect your installation by ip or credentials (and I doubt we're the only agency who's protecting their testing installations that way) you have to modify core code (if we consider .htaccess as a core file).

I hope you can check this once more, with all this new information.

@verklov
Copy link
Contributor

verklov commented Apr 25, 2014

Let me talk to the developer once again and then respond to you.

@lazyguru
Copy link
Contributor

I would much rather see htaccess removed from core altogether. It should be provided as a .htaccess.sample only (or have the installer generate one simialar to how applications like Wordpress do it). As an integrator it requires us to break the rule of "don't touch core" when we deploy client sites that require changes to htaccess. Additionally it makes upgrades require that we inspect the htaccess for changes and manually merge those in.

@FiveDigital
Copy link

+1 @lazyguru Additionally many Magento installations run on nginx where a .htaccess file is quite useless.

@bluk bluk mentioned this issue Mar 20, 2015
Merged
magento-team pushed a commit that referenced this issue Mar 23, 2015
MAGETWO-23167: [GITHUB] By default Allow all access in .htaccess #533
c69fd69
vpelipenko added a commit that referenced this issue Aug 21, 2015
@vpelipenko
Merge pull request #533 from magento-south/MAGETWO-38563
9a960ca 
[South] Customer New Grid
magento-team pushed a commit that referenced this issue Apr 12, 2016
@sdwright
Merge pull request #533 from magento-ogre/PR_Branch
3ccb057 
[Ogres] Bug Fixes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@verklov verklov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lazyguru @airbone42 @FiveDigital @verklov @Wealth39