Accessibility and security issues [BREAKING CHANGE] #76
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
and titles to hidden submit buttons. Also omit empty values from submit buttons.
Dropping these in favor of server-side redirects. Providing a "oops, you aren't supposed to be here" simply exposes directory structure to the end user. Ideally, apache/nginx should forward all requests to a front controller (index.php) and handle routing at the application layer. Navigating directly to individual PHP files makes it hard to obscure details about the application.
Though it is PHP and thus will render nothing in the browser, we don't want to expose its existence. There's also a possibility that, given a broken or misconfigured state, this file could output its contents
flashadvocate
changed the title
flashadvocate
changed the title
|
adding a lot of |
Nothing about this project is DRY 😂 Also note that the code replaced was the same thing, only an html redirect. The goal is to harden the application with this particular PR. I’m working on a port of this project to laravel, so this is just a means to an end. |
|
@Faq hopefully I didn't come off as snarky. I do not like the methods at present, and I'm working to try and update some of the crazy. Baby steps, because there's a lot of crazy :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Takes care of a few accessibility issues mentioned in #59 though there's plenty of room for additional work resolving the 190 missing alt attributes across the application's images.
Also makes a breaking change that needs to be incorporated in existing installations of minimanager.
Somewhere, preferably at the bottom of the
config.php, the following should be added:Right now, due to the nature of the application, it is possible to navigate directly to the config file. While this isn't an issue in an ideal world, it does a couple things
config.phpexists at that locationThis is also the reason for dropping
index.htmlfiles in favor of server-side redirects, as these too paint a vivid picture of the directory structure.Ideally, apache/nginx should forward all requests to a front controller (index.php) and handle routing at the application layer. Navigating directly to individual PHP files makes it much easier for attackers to glean potentially useful information.
An alternative would be to move the
config.phpfile somewhere outside the server's docroot to prevent navigating to the file at all. Neither are ideal or elegant, but in lieu of a complete overhaul (which is coming), this provides some additional protection.