It seems like in the past year or so, security has come to the forefront of everyone's mind. Prior to this, most developers and organizations seemed to see it as a “nice to have” instead of a “must have”. While I think this naivety hurt the community as a whole, we have the opportunity to redeem ourselves. Therefore, I offer an updated .htaccess for all dotProject users:
A new .htaccess file.
Just download this, place it in the root of your dotProject install, and rename to “.htaccess”.*
As I've been looking at improvements to dotProject, I looked at the root of our two security problems and there were two common threads: First, they were both dependent on inappropriate access to files outside the normal structure. Second, they were both dependent on register globals. I don't know of any additional dotProject security issues open at the moment, but I wanted to head them off…
The second issue was resolved a while back. Previously, we encouraged users to turn off register_globals at the PHP level and assumed they did it. Unfortunately, between users who don't have access or don't know how to tweak their php.ini this was not foolproof at all. Therefore, Cyberhorse set these to off right here in .htaccess just in case. Half of the hole was closed, but there was still an opportunity for trouble.
As I dug into the problem recently, I decided to look at how other applications dealt with the problem… and Drupal seemed to do it the best. I ripped apart their model and customized it for how dotProject works and flows. Basically, the model of denying everything and then only allowing certain access points into the system. Therefore, now if someone tries to get direct access to individual modules, classes, or any other php or sql files, they're immediately blocked.
Although this is a big step forward, it isn't the end of the process. The security, validation, etc that happens in the code has to stay, and all of us still have to intelligently apply these and new principles as we go. I already have one additional layer I'd like to add…
* As noted in the htaccess.txt file, if you are using certain tools such as the Task Tracker for the Yahoo Widget Engine, you will have to make adjustments to the second FilesMatch block.