为什么将框架文件夹放在公共根目录之外更安全?

2022-01-04 00:00:00 php symfony zend-framework cakephp yii

为什么总是建议将框架文件放在公共根目录之外?

Why it is always recommended to place framework files outside of the public root ?

鉴于有时框架没有可以由浏览器打开的 .ini.inc 文件.

Given that sometimes a framework doesn't have .ini or .inc files that can be opened by a browser.

推荐答案

好吧,将框架源代码放置在 Web 根目录中绝对没有什么获得.由于可以自由选择放置文件的位置,因此采用最小权限原则是合乎逻辑的:您不需要网络访问这些文件,所以你不会得到它.

Well, there is definitely nothing to be gained from placing framework sources inside the web root. Since the choice of where to place the file is therefore free, it's only logical to go with the principle of least privilege: you don't need web access to these files, so you won't get it.

一个更具体的原因是框架来源可以很容易地透露网站上使用的框架的品牌和版本(尽管这些信息通常也可以通过检查生成的内容获得);这反过来又可以让恶意用户更容易利用已知或新发现的漏洞.

A more concrete reason is that framework sources can easily disclose the brand and version of a framework being used on a website (although this information can also usually be gained by examining the generated content); this in turn can make it easier for malicious users to exploit known or newly discovered vulnerabilities.

相关文章