I have a site that contains a MediaWiki, and one of the things they suggest when it comes to their LocalSettings.php (similar to s9y's serendipity_config_local.inc.php) to make it a little more secure is to create a separate PHP file outside of the webroot with the database connection settings and call to it with a require_once.
Is that something that might be a good idea for s9y? Would it be possible to do it as the code currently stands?
What are your thoughts?
(Here's a link to their suggestion: https://www.mediawiki.org/wiki/Manual:S ... _passwords )
EDIT: I do see that in the .htaccess, there is a denial to all requests for .inc.php. That protects the file, but I just wonder if the above practice would be just as effective, more effective, or less. I guess this is just an invitation to a broader discussion of "best practice" or preference...
More Secure Config?
Re: More Secure Config?
I think it would be more effective, security-wise. Instead of relying on .htaccess you'd get the access restriction right out of the box.
The relevant code start in https://github.com/s9y/Serendipity/blob ... c.php#L263. There we'd have to include the config_local in the new location.
The main problem to apply this generally is that it is something we can't do for existing installations. At least I can't think of an upgrade scheme right now that would allow moving the config out of the webroot, and to do so realiable on all possible server configs.
But I see no harm in applying this on your own installation. Just change the include path for that file to a directory outside the webroot that the webserver can read.
The relevant code start in https://github.com/s9y/Serendipity/blob ... c.php#L263. There we'd have to include the config_local in the new location.
The main problem to apply this generally is that it is something we can't do for existing installations. At least I can't think of an upgrade scheme right now that would allow moving the config out of the webroot, and to do so realiable on all possible server configs.
But I see no harm in applying this on your own installation. Just change the include path for that file to a directory outside the webroot that the webserver can read.