突然间,进入magento后台,发现提示一条信息:
Your web server is configured incorrectly. As a result, configuration files with sensitive information are accessible from the outside. Please contact your hosting provider.
输入magento的local.xml文件的路径果然可以访问。再一想这不只是泄露了数据库的信息,同时整个magento模板的的layout配置也完全暴露。
事实上magento有在相关的目录,如app的目录下放置了.htaccess文件来限制对这些目录下文件访问。但是为什么失效了。打开配置文件发现,之前为了封锁baidu搜索引擎的爬行,做了一个测试,却忘记了将文件恢复:
SetEnvIfNoCase User-Agent "^Baidu" bad_bot
<FilesMatch ".*">
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</FilesMatch>
而据我查阅的apapche文档中的一段说明:
<Files> sections are processed in the order they appear in the configuration file, after the <Directory>
sections and .htaccess
files are read, but before <Location>
sections. Note that <Files>
can be nested inside <Directory>
sections to restrict the portion of the filesystem they apply to.
显然files,filesmatch这两个命令是在directory,.htaccess文件之后处理的,所以也就导致了有.htaccess而无效的问题了。