I put version 3.21 of gallery up this evening. People kept sending me e-mail that indicated they were running this on a public web account; I don’t think it makes much sense to do this as the original files just eat up your allotted web space, I guess they must have accounts that let them keep gigs of files on their server.
Anyway, I realized when responding to an e-mail that the database settings were stored in a ".inc" file instead of a ".php" file. This is not a real problem if you’re just running gallery locally, but if you have it up on a web server with no security it is a very bad thing. Anyone running gallery on a publicly accessible web server should have had some basic security on their gallery directory anyway so hopefully this isn’t an issue to very many people, but it’s better to have it fixed.
This post is part of the project: Photos. View the project timeline for more context on this post.
One really simple tactic to increase security is to put any files that contain db connection info in the php include directory. Since it resides above the web document root, users can’t just load it up by guessing the name.
That is a good thing to do if you have access to the directory. I think many standard ISP accounts don’t have that access.