A new feature for SilverStripe should be ...

Include Root should be configured

The root path for files processed by SilverStripe should be configured, rather than assumed as the Document root. Preferably, the SilverStripe root should be *above* the server Document root. This narrows the range of bugs which could allow these configuration files to be leaked.

Most files - most particularly those containing sensitive data such as database passwords - should be processed relative to the Include Root, not the Document Root. (The Include Root, of course, still needs to have its own configuration set in a known location. Presumably that is the only configuration under the Document Root).

If a developer _wants_ to configure the Include Root to be under the Document root, so be it.

e.g.
/path/to/mysite/ss/... <- config files under this tree
/path/to/mysite/public_html/... <- public files under this tree

4 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Paul O shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base