Internal files/scripts accessible via Apache

[lazka]

More of a general question, currently when serving Kanboard with Apache all the application files are accessible from outside, including files in the root and vendor/ dir, and the same in all plugins etc.

Ideally the application would only expose endpoints and only allow executing scripts which are required for running the application, and not internal PHP scripts, or unrelated example files provided in /vendor.

In Symfony, for example, this is worked around by having a dedicated "public" subdir, which is the one Apache serves. And they handle plugins by having a post-install step which copies plugin specific static files into the public dir.

I don't know what what would be a good way to fix this for Kanboard.

Does anyone have any ideas on how to improve the current situation? .htaccess nginx config workarounds?

[fguillot]

See https://docs.kanboard.org/v1/admin/security/#installation-outside-document-root

[lazka]

Thanks, I missed this page somehow.

I think some of my plugins require public files, but I'll give this a try. Maybe I can get it to work with even more symlinks.

[lazka]

I can confirm that it works fine even with plugins by symlinking their "Assets" directory. Here is a script in case someone finds this useful:

#!/bin/bash
set -e

source="$KANBOARD_ROOT"
destination="$DOCUMENT_ROOT"

if [[ ! -e "$source/index.php" ]]; then
    echo "Kanboard root '$source/index.php' does not exist, aborting."
    exit 1
fi

if [[ -e "$destination" ]]; then
    echo "New root '$destination' already exists, aborting."
    exit 1
fi

mkdir -p "$destination"
cd "$destination"

# main application
ln -s "$source"/assets assets
ln -s "$source"/cli cli
ln -s "$source"/favicon.ico favicon.ico
ln -s "$source"/index.php index.php
ln -s "$source"/jsonrpc.php jsonrpc.php
ln -s "$source"/robots.txt robots.txt
ln -s "$source"/.htaccess .htaccess

# plugin assets
mkdir -p plugins
cd plugins
for path in "$source"/plugins/* ; do
    plugin=$(basename "$path")
    mkdir -p "$plugin"
    cd "$plugin"
    ln -s "$source/plugins/$plugin/Assets" "Assets"
    cd - > /dev/null
done

echo "Created new root at: $destination"