including a file on on-rev

[Alex Tweedly]

J. Landman Gay wrote:
> Yeah, this has been harrassing me. I'm pretty sure a path like this 
> would work but I haven't tried it yet: ~/path/to/includeFile. I'm 
> going to test it, that would be way easier.
>
No - already guesses that one and tried it. "File not found"
>  (b) isn't it a (minor) security issue ?
>
> No, because it's revTalk. The browser never sees the file path, only 
> the contents of the file. To the outside, it looks like hard-coded html.
Different issue. I was concerned about simply guessing the directory 
name, and hence seeing the include files. Of course, since they are 
.irev files, you can't simply download them but you can see their names, 
guess their function, etc. and in some cases retrieving them will give 
some info about the internals of the site. And in a couple of cases I've 
just tried, there are other kinds of files in the includes (or inc) 
directory. (Apologies to anyone who notices me snooping around their 
site ;-)
>
>> I think I'd normally protect my include folder with a .htaccess file, 
>> so that random users can't access my include files, they can only 
>> access the web pages I want them to access. But that would (I think, 
>> haven't tested it) prevent this form of include being used.
>
> I don't think you'd have to, since the path is never sent to the 
> browser. Alternately, I suppose you could store the includes outside 
> the web folder. A path is a path, right?
>
I didn't think you can do this - but you can. And that's kind of scary. 
It means that a script error (or deliberate misuse) in any of your 
add-on domains can see and alter all files, including those in other 
add-on domains.  I'm not sure this is a "feature", it feels more like a 
"bug" (or at least, a "problem").

-- Alex.