A new feature for SilverStripe should be ...

Include Root should be configured

The root path for files processed by SilverStripe should be configured, rather than assumed as the Document root. Preferably, the SilverStripe root should be *above* the server Document root. This narrows the range of bugs which could allow these configuration files to be leaked.

Most files - most particularly those containing sensitive data such as database passwords - should be processed relative to the Include Root, not the Document Root. (The Include Root, of course, still needs to have its own configuration set in a known location. Presumably that is the only configuration under the Document Root).

If a developer _wants_ to configure the Include Root to be under the Document root, so be it.

e.g.
/path/to/mysite/ss/... <- config files under this tree
/path/to/mysite/public_html/... <- public files under this tree

4 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Paul O shared this idea  ·   ·  Admin →

    3 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Zauberfisch commented  · 

        (Note, making the root path configure able is not such a big deal for me, I would be fine with the framework parts beeing forced outside the document root.)

      • Zauberfisch commented  · 

        there has actually been a lot of work done on that subject, and the issue was recently discussed again when talking about package management, the composer vendor/ folder and some other topic.

        But I still don't know what the status of that is.
        Would love to get this issue back into the spotlight and see this implemented soon.

      Feedback and Knowledge Base