Awaiting feedback Building add-on skips filenames starting with dot

ivp · Jul 8, 2023

When building the add-on hidden files (starting with dot) are not added to ZIP.

Don't see other way to be sure that some keys are not accessible publicly.

Jeremy P · Jan 23, 2024

I'm not entirely opposed to changing the behavior if there's a solid use case, but this is deliberate as it stands. Typically files in the src/ directory are not publicly accessible as it is.

ivp · Jan 23, 2024

Just checked and I can see that nginx config includes:

Code:

location /src/ {
  internal;
}

and src/.htaccess:

Code:

Order deny,allow
Deny from all

So you think it is perfectly safe to have keys in regular files (not starting with dot)?

Jeremy P · Jan 23, 2024

I'm not sure about perfectly safe. Preventing any sort of file from being served (including dot files) depends on the web server being configured correctly, but XF does expect that the src/ directory is not served. For DKIM, we store generated private keys in the internal data mount point with a random file name.

Are you distributing a private key in the add-on itself? You could also consider storing it as a string in PHP to reduce the likelihood of it being served, but I guess that depends on your exact needs.

ivp · Jan 23, 2024

It is internal add-on and the idea is to distribute private keys in it.

Docs say "This option accepts either a path to a credentials file, or a decoded credentials file as a PHP array", so probably this could be hard coded: