Hi Sean.
Here are some explanations about .htaccess and error logging.
1) The RoundCube package includes a directory names "log" and an entry in
config/main.inc.php.dist that sets 'log_dir' to that directory. According
to the installation guide you should make sure that the webserver can write
to that log dir. With all these conditions met, the errors file will be
create once the first error is logged. If this fails, PHP will write the
errors to it's default error_log file.
2) Only .php will be executed (sent to PHP) when called externally over an
URL. This is one of the reasons why we use .inc for included PHP files
which are not subject to be executed directly. Since RoundCube is open
source, everybody can get the source and analyze it and the FilesMatch
section in .htaccess is not absolutely necessary. Nevertheless, direct
access via webserver should not be allowed. This also includes auto-saving
files from emacs (ending with ~).
As you can see, there are .htaccess files in 'temp' and 'logs' dirs which
deny all access from outside.
If you use Apache and you have AllowOverride set for the RoundCube
directory your log files should be save.
~Thomas
Sean N. Heukels wrote:
> Found something strange in the code about error logging
>
> <1>
> in main.inc the errors directory is defined, but this directory does not
> exist. Does PHP complain about this?
>
> // set PHP error logging according to config
> if ($conf['debug_level'] & 1)
> {
> ini_set('log_errors', 1);
> ini_set('error_log', $conf['log_dir'].'/errors');
> }
>
> <2>
> In .htaccess in the root of roundcube there is a deny/allow statement
> for *.inc (suffix as .inc). Does this mean that if a user would know the
> directory format that he/she would be able to read/execute other file
> formats under the directory structure. For example files with the suffix
> php or log?
>
> Kind regards, Sean
