Content from hidden directories is delivered
fxnn opened this issue · 2 comments
Content from directories whose name start with . is accessible.
Humm, another question is whether we really want to always prohibit access to hidden files and directories -- while they are hidden, the UNIX permissions are our means of access control. Denying access to every hidden file seems too restrictive.
Instead, we could just check (and, if not explicitly disabled, require) that files with sensitive information (.htaccess) have no world read permissions.
Even quite another question is... Does it make sense to splatter metadata around in the content root in a dozen files and directories prefixed with .?
Maybe we should think about introducing a single .gone directory, which is never delivered by default (so you can change that via configuration), and which contains stuff like
htaccesstemplates- later possibly
config - later possibly
index