well I can use the following which does stop access to these extensions, but i'm still a little uneasy about anyone having access to directories like
.../elgg-config/
.htaccess
<FilesMatch "\.(rst|MD|txt)$"> #deny these from url access
Require all denied
</FilesMatch>
thanks
The only important point is that you don't set write permission for the files/folders of the install folder of Elgg and its subfolders. The only exception might be during the installation where it would be necessary temporarily to allow for the Elgg installer creating settings.php and .htaccess. Afterwards the write permission should no longer be necessary at all as the webserver would only have to read the files and read/access the folders but not write into them.
The files you are so worried about are freely downloadable here from the site (within the zip archive) and everyone can view them also at the Elgg github repository. There's no secret in them so no harm in anyone seeing their content (which would still require knowing the full path).
Thanks iionly,
I'm played around with the RewriteCond and this seems to have sorted it out. I will need to watch it for while to see if has any knock effect to other plugins. The first line covers my homepage where there are some direct links to jpg,css files etc etc, then everything else is forced through the Elgg route.
RewriteCond %{REQUEST_URI} !^/mod/homepage_elgg/(.*)$
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?__elgg_uri=$1 [L,QSA]
The blog excerpt is added in the file mod/blog/views/default/object/blog.php for the "brief view" of blogs, e.g. in lists.
Overide this view (see http://learn.elgg.org/en/stable/guides/views.html#altering-views-via-plugins) and just comment out the $content line as follows:
} else {
// brief view
$params = array(
'entity' => $blog,
'metadata' => $metadata,
'subtitle' => $subtitle,
// 'content' => $excerpt,
'icon' => $owner_icon,
);
$params = $params + $vars;
echo elgg_view('object/elements/summary', $params);
}
Amazing is not the word, the support here is fantastic!!!
Many thanks it works perfect.
Enjoy your weekend
Rich
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.