I've just stumbled upon octobercms and as I've already played around a bit with laravel I decided to give it a try. Perhaps what hit my eye most strikingly is the different directory structure in octobercms and laravel: in laravel I have a 'public' directory to which I point for my installation if accessed over the net (http://www.mywebsite.tld points to public/index.php). In octobercms that index.php file is on the same level in the directory hierarchie as all the other parts like e.g. app/config. I would usually avoid to have my config (containing my db credentials etc.) in a place that's (in theory) accessible over www. Is it possible (resp. recommendable) to move index.php to e.g. public/index.php and let the webserver point to that location as public access-point instead of the default location? Or would that break future updates or have some other negative sideeffects?

thanks, Stefan

Last updated 9 years ago

I would like to see this as an option / consideration as well.

This seems to be a recurring topic.

So we may have to see what can be done, specifically the possibility to add aftermarket potential to use a public folder. It would have to be something unofficial though.

I have reopened Issue 122 for monitoring progress on this.

Last updated 9 years ago

Meanwhile I've configured my installation. If point my browser to http://mywebsite.tld/app/config/production/database.php I get a 'Page not found' (404) which is what I would like to see. I guess this handled via October's .htaccess file, so it's not really something I'm too worried about. I think it's done well though I'm wondering if having a 'public' directory as access point wouldn't be a more fail-safe solution. Don't know how many people are trying to fiddle around with the .htaccess file (for what reason as long as everything works...). I guess most ISPs offer a proper environment nowadays that allows a directory layout where the config files and other stuff that shouldn't be accessible over the net can be put outside the publically accessible directory.

But anyway, I'm pretty impressed how smoothly anything goes and I'm looking forward to trying out October's features (happily getting away from bending wordpress to the extreme...).

I've just commented on issue 122 describing that OctoberCMS is fine in respect to the security configuration of the application. There is nothing to be fixed, really. Just a proper configuration of your web server and PHP.

Issue 122 is marked as closed, is there still any hope that it'll get fixed? I posted a comment there, but I'm not sure if it's a lost cause...

This is a real concern. Still not convinced? October folks, I can see your composer file: https://octobercms.com/composer.json and your php unit file: https://octobercms.com/phpunit.xml

If I spent a little time, I could also view any other file that you might happen to have in your document root if it ends in .txt, .json, etc.

If you are a developer working on multiple projects, project root is the only reasonable place to put some of these files. Just one reason that project root should never be used as document root -- this is security 101.

I love other aspects of October, which is why I'd really like to see this fixed :)

Last updated 9 years ago

I'm getting "Page not found" on both those links and also on a project I'm working on that is still using the beta installation.

I'd like to be able to prevent this if it exists, so is there something I'm missing?