突然間,進入magento後臺,發現提示一條信息:
Your web server is configured incorrectly. As a result, configuration files with sensitive information are accessible from the outside. Please contact your hosting provider.
輸入magento的local.xml文件的路徑果然可以訪問。再一想這不只是泄露了數據庫的信息,同時整個magento模板的的layout配置也完全暴露。
事實上magento有在相關的目錄,如app的目錄下放置了.htaccess文件來限制對這些目錄下文件訪問。但是爲什麼失效了。打開配置文件發現,之前爲了封鎖baidu搜索引擎的爬行,做了一個測試,卻忘記了將文件恢復:
SetEnvIfNoCase User-Agent "^Baidu" bad_bot
<FilesMatch ".*">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>
而據我查閱的apapche文檔中的一段說明:
<Files> sections are processed in the order they appear in the configuration file, after the <Directory>
sections and .htaccess
files are read, but before <Location>
sections. Note that <Files>
can be nested inside <Directory>
sections to restrict the portion of the filesystem they apply to.
顯然files,filesmatch這兩個命令是在directory,.htaccess文件之後處理的,所以也就導致了有.htaccess而無效的問題了。