Bad idea to rename files to *.php~ when updating

[Daretary]

Not everyone installing a forum has the necessary expertise to correctly configure the server (or at least .htaccess).

Because of this, every forum update makes it easier for hackers to attack these forums.


Obviously, nothing is wrong with https://www.simplemachines.org/community/index.php~. But you can see a lot of php code in https://smf***.com/index.php~ and other files, though, if you browse the SMF forums.
And many fixes (including but not limited to confidential) were added there by users, which are now accessible to everyone!

I offer a quick and straightforward solution, at least for the foreseeable future: while updating, rename files to *~.php rather than *.php~.

[DeadMan...]

It's been this way for years, not just with SMF, but with just about everything else.
No security issues have ever been found or reported about something like this.
So, I really doubt this will be changed.

In reality, doing ~.php makes the file easier for people to access.
You can call up a ~.php file in browser, where if try to access a .php~ you get the following:

Forbidden
You don't have permission to access this resource.

Additionally, a 403 Forbidden error was encountered while trying to use an Error Document to handle the request.

[Daretary]

I compel smf-forum owners to put the following code to.htaccess at the very least:

Code Select Expand

RewriteEngine On
RewriteRule ^(.*)~$ / [R=301,L]

[Steve]

You 'compel'?

Is English your native language? If not, disregard.

[Arantor]

You know you can turn this off, right? The php~ files aren't producing during the update, they're produced before the update runs, and it's possible to disable this in the admin panel.

But I've been advocating for a better solution than this for years - by having mods that don't change core files, so you don't need to have the backups-just-in-case in the first place. No-one seems particularly interested because they're always too afraid of 'but what if I have to make (a specific change that can't be accommodated any other way)'... well, you gotta have more infrastructure for this to be viable but it *is* viable and has been viable for at least a decade. I was *doing it* a decade ago in something based off SMF. And so have other forum platforms.

[Aleksi "Lex" Kilpinen]

You do understand that the whole codebase is available for anyone to browse on Github?
There should not be anything that confidential in the files usually, if there is you've done something fairly stoopid.
On top of that, you can stop this behaviour completely as mentioned by Arantor.

[Arantor]

Paid-for mods and custom development exist though.

[Aleksi "Lex" Kilpinen]

True, but still.

[Daretary]

Paid-for mods and custom development exist though.

This is one of the main arguments against .php~
We have worked out complex individual changes in the code.
However, we are now gradually taking them out of smf files using include and require (_once).
Mods are also worse than manual editing. I will say nothing about hooks.

You know you can turn this off, right?

I talked in the first post about inexperienced users.

There should not be anything that confidential in the files usually, if there is you've done something fairly stoopid.

The main thing is that the forum does not update Settings.php.

[DeadMan...]

You know you can turn this off, right?

I talked in the first post about inexperienced users.

This would be the more ideal way for inexperienced users.
They'd have better chances of using this method, than they would with your .htaccess way.

[Arantor]

Mods are also worse than manual editing.

Disagree: mods are *exactly the same* as manual editing, except you have a record of what was edited in a way you don't without putting the entire thing in source control.

I will say nothing about hooks.

I'm curious how you think having some kind of add-on system could possibly work without using hooks; they're literally points throughout the code where the code can ask if external modules/add-ons/bridged systems want to do anything. Edit free, that's *literally* the point.

Every grown-up system has hooks because it's one of the two methods you *have* to use to make this stuff work (the second is something akin to XenForo's class proxy system, to overload and mixin across existing classes)

[Daretary]

This would be the more ideal way for inexperienced users.
They'd have better chances of using this method, than they would with your .htaccess way.

I agree. But if the developers had originally closed this leak - it would have been a better solution.

Disagree: mods are *exactly the same* as manual editing, except you have a record of what was edited in a way you don't without putting the entire thing in source control.

Maybe you're right. Maybe we are just too lazy to "wrap" all the changes in mods. The easiest thing is to go straight to the code.

[Arantor]

Perhaps you should try phpBB for a spell where the kind of installation you describe is normal.

[DeadMan...]

This person can't make up it's mind.
The main complaint is the filenames after file edits.
If do hooks, you'd not have those file edits, hence no files ending in .php~
Seems to me, the OP is more like Trolling...

* DeadMan... knows...

[Arantor]

No, he's trying to make the argument for just directly editing files rather than using mod packages because that's what he does himself.

If it's done with a full version control system, it's fine. I get the impression that this is not what's in place, however.