In-Portal Issue Tracker - In-Portal CMS
Viewing Issue Advanced Details
947 [In-Portal CMS] Security bug report always 2010-12-13 10:09 2011-09-19 16:08
Dmitry  
alex  
normal  
closed 5.1.1  
fixed  
 
none 5.1.3-B1  
https://groups.google.com/d/topic/in-portal-dev/pi4bweIypGs/discussion
Created new restricted folder for logs
0
0000947: Create new folder with restricted access from Web
Currently most of the logs and debug info can be accesses via Web which is high security risk.

To address this we need to create a new folder under "/system" with restricted access from Web.

Folder name will be ".restricted", it will have 777 permissions and will be used for:

1. ALL type of logs (gateways, shipping, PHP, Web requests)
2. Debug files

NOTES:

1. all of above Logs should be checked and updated to use this NEW folder.

2. add .htaccess which will deny any access to that folder.


New setting in config.php RestrictedPath = "/system/.restricted"
parent of 0001079closed  (5.1.3)!COMMUNITY Script "clear_cache.sh" is not Deleting Debug files 
patch restricted_folder_core.patch (6,111) 2011-05-23 05:15
http://tracker.in-portal.org/file_download.php?file_id=1017&type=bug
patch restricted_folder_modules.patch (5,998) 2011-05-23 05:15
http://tracker.in-portal.org/file_download.php?file_id=1018&type=bug
Issue History
2011-09-19 16:08 alex Note Added: 0003839
2011-09-19 16:08 alex Status resolved => closed
2011-07-07 13:49 Dmitry Relationship added parent of 0001079
2011-06-14 08:56 alex Changeset attached 5.1.x r14365
2011-06-01 02:50 alex Note Added: 0003515
2011-06-01 02:50 alex Status reviewed and tested => resolved
2011-06-01 02:50 alex Fixed in Version => 5.1.3-B1
2011-06-01 02:50 alex Resolution open => fixed
2011-06-01 02:50 alex Changeset attached 5.1.x r14360
2011-06-01 02:45 alex Changeset attached 5.1.x r14359
2011-06-01 02:44 alex Changeset attached 5.1.x r14358
2011-05-23 17:45 Dmitry Note Added: 0003501
2011-05-23 17:45 Dmitry Assigned To !COMMUNITY => alex
2011-05-23 17:45 Dmitry Status needs testing => reviewed and tested
2011-05-23 05:16 alex Time Estimate Removed 2 =>
2011-05-23 05:16 alex Note Added: 0003496
2011-05-23 05:16 alex Assigned To alex => !COMMUNITY
2011-05-23 05:16 alex Developer => alex
2011-05-23 05:16 alex Status needs work => needs testing
2011-05-23 05:15 alex File Added: restricted_folder_modules.patch
2011-05-23 05:15 alex File Added: restricted_folder_core.patch
2011-05-19 16:18 Dmitry Description Updated bug_revision_view_page.php?rev_id=711#r711
2011-05-18 13:16 Dmitry Time Estimate Added 2
2011-05-18 13:16 Dmitry Assigned To Dmitry => alex
2011-05-18 13:16 Dmitry Additional Information Updated bug_revision_view_page.php?rev_id=709#r709
2011-04-04 11:59 Dmitry Fixed in Version 5.1.3 =>
2011-04-04 11:59 Dmitry Target Version Icebox => 5.1.3
2011-04-04 11:59 Dmitry Assigned To => Dmitry
2011-04-04 11:59 Dmitry Status active => needs work
2011-04-04 11:59 Dmitry Fixed in Version => 5.1.3
2010-12-13 10:09 Dmitry New Issue
2010-12-13 10:09 Dmitry Reference => https://groups.google.com/d/topic/in-portal-dev/pi4bweIypGs/discussion
2010-12-13 10:09 Dmitry Change Log Message => Created new restricted folder for logs

Notes
(0003496)
alex   
2011-05-23 05:16   
Done.

Please create "/system/.restricted" folder and make it writable before testing.

This folder will commited and it's write permissions are already checked during installation/upgrade.
(0003501)
Dmitry   
2011-05-23 17:45   
Tested okay, please commit.
(0003515)
alex   
2011-06-01 02:50   
Fix committed to 5.1.x branch. Commit Message:

Fixes 0000947: Create new folder with restricted access from Web
(0003839)
alex   
2011-09-19 16:08   
Closing, since 5.1.3 release has been released.