Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#949 closed task (fixed)

Installer: Remove file that reveals unnecessary system information

Reported by: jbirch Owned by: jng
Priority: low Milestone: 2.1
Component: Installer Version: 2.1.0
Severity: trivial Keywords:
Cc: External ID:

Description

This should be removed from the repo and manually extracted from the .wxs file:

/Installer/Support/Web/Apache2/htdocs/phpTest.php

I'm sure there are other things we should be doing to reduce the standard profile of a MapGuide Apache / install.

Maybe as a start, also set "ServerTokens? Prod" in the server properties and "Options -Indexes" for the MapGuide directory in httpd.conf, and "expose_php = Off" in php.ini.

Attachments (1)

httpd.conf.patch (342 bytes) - added by jbirch 10 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 10 years ago by jng

Milestone: 2.1
Owner: set to jng

comment:2 Changed 10 years ago by jng

Status: newassigned

comment:3 Changed 10 years ago by jng

Resolution: fixed
Status: assignedclosed

Fixed in r3794. Note that the "Option Indexes" setting was not applied because this would have broke the mapviewer directories underneath.

comment:4 Changed 10 years ago by jbirch

I'm pretty sure that DirectoryIndex? is what controls which file to use as the default "index" for a particular directory. All that Options -Indexes does should be to prevent mod_autoindex from kicking in and showing visitors a directory listing via HTML.

comment:5 Changed 10 years ago by jng

If I set Option Index to the web root directory (I assume this is the directory you're talking about?), the mapviewer(php/net/java/ajax) directories will be denied access.

Changed 10 years ago by jbirch

Attachment: httpd.conf.patch added

comment:6 Changed 10 years ago by jbirch

I just attached the change I made on my local install.

This prevents users from getting a directory listing of those folders, but still allows requests to:

/mapviewerajax/?....

to work properly. As far as I could tell, everything worked fine when viewing a basic layout via a preview.

comment:7 Changed 10 years ago by jng

Applied your patch in r3795

Note: See TracTickets for help on using tickets.