Revolution: Unable to rename ht.access to .htaccess from manager
Summary
When trying to rename core/ht.access to core/.htaccess I see error message "File extension htaccess is not permitted." in file renaming dialog.
Environment
2.6.0
whitebyte
All 10 comments
This is by design I believe. Not a bug.
Ref #13178
To make it work for you, you will need to add .htaccess to permitted file types. (not tested)
zaigham
on 5 Nov 2017
When we see "Core folder is accessible by web" warning the first and obvious move is to rename htaccess via in-manager file explorer. Inability to do it is confusing
whitebyte
on 5 Nov 2017
@whitebyte Allowing to upload/rename to .htaccess within the manager is a huge security issue as it may allow compromised manager users to take controll of the webserver. Disallowing .htaccess is by design and you are ment to use FTP or SSH to do this. I do not understand why you automatically would assume this should be possible from within the server. .htaccess is a server related task, and has less to do with MODX as an application.
OptimusCrime
on 5 Nov 2017
It's still possible to do this if you want, but it's essentially opt in for
new sites since 2.5.6 or so. Add htaccess to the upload_files setting.
Op 5 nov. 2017 5:15 p.m. schreef "OptimusCrime" notifications@github.com:
@whitebyte https://github.com/whitebyte Allowing to upload/rename to
.htaccess within the manager is a huge security issue as it may allow
compromised manager users to take controle of the webserver. Disallowing
.htaccess is by design and you are ment to use FTP or SSH to do this. I do
not understand why you automatically would assume this should be possible
from within the server. .htaccess is a server related task, and has less to
do with MODX as an application.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/modxcms/revolution/issues/13674#issuecomment-341984708,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AATGcIx8tsfwRCNDvUH7Gdu-J_MRHDbqks5szd8RgaJpZM4QSXVK
.
Mark-H
on 5 Nov 2017
I've done that once or twice, as well as adding 'php'. Then as soon as I'm finished I make sure to remove them again.
sottwell
on 5 Nov 2017
@OptimusCrime in default setup user who is able to see file manager tab is usually an admin, so he able to modify system settings and allow to upload any file types. If manager account is compromised we are in big trouble anyway, so disabling .htaccess extension by default actually not solves any security issues, but make life (a little) harder for regular user.
Since this is just a minor inconvenience I'm not going to be pushy, but I do believe that my point is valid. Up to you.
whitebyte
on 5 Nov 2017
I disagree. Server related file should not be handled in MODX, at least not by default. The application should put safety before inconenience in my opinion. Additionally, there is a way to "fix" this issue already; just add the file ending to allowed file types and you're done.
My five cents at least.
OptimusCrime
on 5 Nov 2017
Exactly my thinking. Server stuff should never be lightly or easily done. Slow down. Pay attention.
sottwell
on 5 Nov 2017
Unless people have strong opinions about this, I am going to close it as intended functionality.
OptimusCrime
on 6 Nov 2017
@modxbot close
OptimusCrime
on 19 Nov 2017
Related issues
dsuppiger
·
3Comments
SnowCreative
·
4Comments
travisbotello
·
3Comments
alexsoin
·
3Comments
Ruslan-Aleev
·
3Comments
Most helpful comment
I disagree. Server related file should not be handled in MODX, at least not by default. The application should put safety before inconenience in my opinion. Additionally, there is a way to "fix" this issue already; just add the file ending to allowed file types and you're done.
My five cents at least.