XF 1.1 Things XenForo writes to filesystem

digitalpoint

Well-known member
As far as I can see, XenForo only writes templates (when you are set to save them as PHP files) and avatars to the file system normally, right?

Just want to make sure I'm not missing anything so I can setup security, permissions and multi-web server syncing properly.
 
Anything can be written to the file system into the data and internal_data directories. Data is accessed directly by the web server, internal_data isn't. So that includes things like attachments, attachment thumbs, avatars, some temp storage, templates as files, things add-ons might right, and general future things.
 
So would it be safe to block PHP execution within the data directory? I hate having the web server "user" have the ability to write anything/anywhere (purely from a security standpoint). So if someone was able to get the web server to write a nasty PHP file to the data directory somehow, I could at least prevent it from executing...
 
That would be fine. You can do the same with the internal data directory as well or you can move it outside of the web root via config.php.
 
Top Bottom