erb theme files must not be accessible
Reported by Stefan | May 8th, 2009 @ 10:56 AM
Because themes and templates are located in the application's
public folder, I can access an erb file using for
example
http://localhost:3000/themes/theme1/templates/shared/_footer.html.erb.
This IMHO is a no-go. You could probably add some access
restrictions to your webserver, but the default configuration
shouldn't be insecure.
Comments and changes to this ticket
-
Clemens Kofler May 14th, 2009 @ 02:36 PM
- Tag set to “security, themes”
- State changed from “new” to “open”
Any suggestions on how we should tackle this, Stefan?
-
-
ava james March 18th, 2023 @ 03:07 PM
Nice post thanks for sharing check this lightinthebox discount code
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<p>Cutting edge cms, blog, wiki, forum ... plattform.</p>
<p>Find the code on <a href="http://github.com/svenfuchs/adva_cms/tree/master">GitHub: adva cms</a></p>
<p>Part of the business application framework <a href="http://www.advabest.org/">adva best</a>.</p>
Clemens Kofler
Marko Seppä
Sven Fuchs