Files outside the web root are not accessible by the user via HTTP, so I don't s... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

wladimir on March 19, 2011 | parent | context | favorite | on: I think tumblr has a huge security hole

Files outside the web root are not accessible by the user via HTTP, so I don't see the issue with that?

Unless you include it from somewhere in the web root, but that's the other insecure-by-default behaviour I was hinting at. With a secure-by-default web framework, it's not possible to get the code to show at all because it's not intermingled with the content.

russss on March 19, 2011 [–]

If there are no PHP files in the web root then what does your web site do?

Every block of PHP code must begin with '<?php', regardless of where it's located, or whether it's included from another file.

I do agree with you that this is a silly behaviour. But it's nothing to do with the web root.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact