-
2010-12-04
ach
The data security check in the admin (in which an image from the data directory is called to check if that directory is secure) is insufficient. In case the data directory has been moved to another place (as advised on the security page and also a common scenario in farms), the new data directory should be checked. (Ideally both directories should be checked, in case the data directory has been moved later and the old one hasn't been deleted. Not sure if that is really necessary, though.)
So, "url(data/security.png)" should be "url($['data']/security.png)".
-
2011-02-06
ach
In case the data directory has been moved to another place, the security check is highly likely to be not needed anymore anyway.
-
2011-02-06
ach
What could be done: Check and only display the security check image if $conf['savedir'] is under the web root.
-
2011-04-06
andi
I'm not sure if we are even able to reliable detect the web root. In a Apache environment there is $_SERVER[DOCUMENT_ROOT], but I'm not sure if this environment is always available...
-
2013-02-16
ChrisS
The check is to ensure that requests can't be served directly from the wiki's data directory. Even if its been moved, the test still applies. If it has been moved the test on '{wiki_root}/data' is irrelevant.