After Upgrade 2.4.0 Core folder is accessible by web

I have just installed 2.4.0 on two sites. I'm getting a warning that on the dashboard of both sites that says "Core folder is accessible by web"

I do have an .htaccess in the core folder on both sites that contains


These sites are each in a folder on the same server (Hostmonster). If I attempt to access a file in the core folder via a browser I get the 404 page I specified in Modx.

I assumed that warning would not appear when the .htaccess file is present in the core folder. I've cleared the modx cache manually and deleted cookies and cache in my browser.

Thoughts?

You need to get rid of the ".php" in that Files directive. It leaves a few text files accessible. Technically that is harmless, but the code that checks for accessible files doesn't make any distinctions.

Better yet, move the core above the web root and change the path in all the config.core.php files (root, manager, connectors, + setup if it's there) and in config.inc.php if necessary.

Quote from: sottwell at Aug 25, 2015, 11:05 PM

You need to get rid of the ".php" in that Files directive. It leaves a few text files accessible. Technically that is harmless, but the code that checks for accessible files doesn't make any distinctions.

The notes with warning say this:

"This can be easily done by renaming the existing ht.access example file there to .htaccess."

That line is in the sample file. Perhaps the file should be updated in the next release?

None the less, it removing id did satisfy the warning.

Thank you!

Yes, this is known. There is some debate as to the best way to deal with this. There are ways to have a request return a 404 (not found) instead of the 403 (forbidden) response. The thought is that the 403 response indicates that the file does exist, while returning a 404 would suggest that it's not even there.