Jump to content

How can I add an .href security exception?


Xonox
 Share

Recommended Posts

Hi,

I really like PW's href security, however, I was having difficulties to post to an ajax call to a custom script because of it. After some trial and error, I came to the conclusion that the problem was here:

# Block access to any PHP or markup files in /site/templates/
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ [OR]
So after commenting this line, all was working. However I would like to keep the security, adding an exception to the following file:
 
site/templates/scripts/xcrud/xcrud_ajax.php
Is it possible to add this exception to the .href file? How can I do that?
 
Thank you.
Link to comment
Share on other sites

Welcome to the forum!

You could of course add an exception to that file only on the href, but IMO the best way to do this is to have that file as a normal PW template and create a page with it, then, just call the page instead of the file:

example.com/utilities/xcrud (or whatever you want)

  • Like 2
Link to comment
Share on other sites

Hi Diogo,

Thanks for your input. It would be a great idea, but I'm afraid it won't work for what I intend to do. The file I mentioned (xcrud_ajax.php) is called by the script itself, not by me and I want to keep the script contained, so that I don't have to keep making changes whenever I update it.

I tried to make your option work, I did some changes to the script configuration files to see if it would manage it, but to no avail. I really don't want to make changes to the script core. However I'll try to investigate a bit more that option because it might even solve a session problem I'm having with it.

Thanks.

Link to comment
Share on other sites

You can also put the file on the root of the website and call it directly, the .href rules are prepared to bypass the index if you call an existing file (that would imply moving the script also, probably).

  • Like 1
Link to comment
Share on other sites

After messing around config and php templates I finally got the script to work.

Your idea of building a template to handle the ajax call was right on! I now have the script functioning inside its own folder with the ajax calls being handled by a page that has a special template that includes the script itself.

Two big advantages:

1. No need to make changes to .href;

2. The problem that I was having with this script session was solved. I guess that calling a PW page means that the session is kept intact.

Both problems were killing me for the past two days, I can now move on! :)

Thanks Diogo, always nice to have some discussion about alternatives to solve problems.

Greetings from Lisbon!!

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...