Program Configuration Please always bear in mind that heitml pages are in fact programs
running on your Web server. Since these programs are written by customers
there is a risk that they misbehave intentionally or unintentionally. The
heitmlsecure onAlways switch on heitmlsecure explicitly in httpd.conf to prevent users
switch it off in a .htaccess file.
The include feature of heitml is a way heitml scripts can include
and execute library files. Using the All users should have an include directive to the heitml lib directory. into their path. Users of heitml 1.2 might want to use the lib1.2 for compatibility reasons. Users of RADpage in addition need the control directory in the path before the lib directory. It is needed for editing only. # include heitml libraries heitmlInclude /usr/local/heitml/heitml2.1/control heitmlInclude /usr/local/heitml/heitml2.1/lib # include the layout heitmlInclude /home/demo/website/docroot/layoutFinally each heitml Web site needs a layout directory that contains layout files. Layout files are just ordinary include files, but usually they are local for each client. In addition clients can use .htaccess files to specify their own include directories. heitmllib /usr/local/heitml/heitml2.1/lib/lib.hei heitmlcodepath /usr/local/heitml/heicode heitmlcodepath specifies a directory where to store heitml code
files. The web server must have and users must not have write access
to the code files since changing a code file could be used to compromise the
web server security. heitmllib specifies a heitml code
library. The library contains a preprocessed version of the heitml
component libraries and so avoids that parts of the library are compiled into
the code files. This saves significant disk space on code files.
Include files, however, have the risk that a user includes a file he is
not allowed to read. heitml runs with the user rights of the Web server
user, so it has the same rights as Apache. So there is the potential risk that
all the files the Web server user can read can be included. By setting the
heitmlincludeall off In any case, be aware of the fact that there is an inherent risk of all files the Web server user can read to be revealed. Note that Apache modules, CGI scripts can read all these files. A simple Apache misconfiguration might make Apache serve these files e.g. you must make sure that Apache never follows symlinks. Finally bugs in heitml (or any other Apache module) might reveal such information. So you should never put confidential data on a Web server and at the same time offer multiple clients to upload scripts or .hei pages to that server. Next |