I noticed that RoundCube uses a lot of *.inc files to be included. Then it uses .htaccess to disable users to view this files via the browser (in order to hide the source code).
Why not naming these files *.inc.php? With the .php extension you know that those files contains php code and users can't access the source code via the browser. Thereby, you don't have to set all the .htaccess files. Not to forget, sometimes one can't use .htaccess files or just forgets to copy them (thus leading of the source code still accessible from outside).
In short, using *.inc.php instead of *.inc has the following advantages:
- 1. No more using .htaccess
- 2. Disabled view of the source code, even without .htaccess
- 3. Makes installation a bit easier
I was wondering if I'm the only one with this on his mind... :)
Any comments on this one?
May this is something to send to the dev. mailing list.
http://lists.roundcube.net/dev/
I think because of security flaws/futures/hacks/whatever to download the full php files.
Makes sense to me, I don't see any reason not to
Hello.
The dev team should improve this issue.
Agrees.
.htaccess-files can just be just as annoying and make problems to few. Not saying I getting issues, but heard others which had.
We read the mailinglists and like tickets on trac.
But I agree, it wouldn't hurt!
I definitely agree.
Plus, as an added bonus, you could even toss in some header redirects once they're all php processed so that instead of actually even getting a blank page, the user will be bounced back to the login screen.