#302 open

erb theme files must not be accessible

Reported by Stefan | May 8th, 2009 @ 10:56 AM

Because themes and templates are located in the application's public folder, I can access an erb file using for example http://localhost:3000/themes/theme1/templates/shared/_footer.html.erb. This IMHO is a no-go. You could probably add some access restrictions to your webserver, but the default configuration shouldn't be insecure.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<p>Cutting edge cms, blog, wiki, forum ... plattform.</p>

<p>Find the code on <a href="http://github.com/svenfuchs/adva_cms/tree/master">GitHub: adva cms</a></p>

<p>Part of the business application framework <a href="http://www.advabest.org/">adva best</a>.</p>