Ilmiont NET v1.3.0 released
Today I released Ilmiont NET v1.3.0, the November 2017 release of my multi-tenant PHP web app framework and hosting platform incorporating over 30 notable changes, including a heavily revised security model.
This is the second major update to Ilmiont NET since I finalised the v1.x series back in September. I've worked for over a month on this update, adding many new internal features, several API changes and crushing almost a dozen minor bugs. You can check out the full release on GitHub; I'll go over the most major change to the security model here.
When I started on Ilmiont NET v1.x development, I decided against using a "public" or "web" folder like other frameworks for a few reasons. First, I don't like this structure, but secondly, and more importantly, it places limitations on where you can install the framework, particularly around subdirectories. Most frameworks require you to set your document root to their public folder location, but what if you're in an environment where that isn't possible, or you don't want the framework to be on its virtual host, or you want to be able to move the framework around at will...
Unfortunately Ilmiont NET v1.1.0 and v1.2.0 didn't do enough to protect the security of the system and prevent external access to internal resources. In v1.3.0, I've gone back to the drawing board and there is now a "www" public folder, which is used to store all assets created by the system and apps that can be downloaded externally. You can only access files inside "www".
But how does this work, and how I have solved the issues above? With Apache dynamic rewrite base resolution in .htaccess. The .htaccess can now work out its own location enabling dynamic rewrite rules, this is achieved by determining the rewrite base by stripping the document root from the incoming URL. Now we can reliably work out where Ilmiont NET is installed on the server, and always use relative URLs to "www," without requiring any manual hardcoding of document roots, Ilmiont NET filesystem roots or public directory locations.
It just works. You can put Ilmiont NET anywhere on your server and external users can only download files inside the "www" folder. Specifying a URL which doesn't map to something inside "www" routes to "ilmiontnet.php," initiating the internal system routing flow. Everything's secure and yet still flexible.
View Ilmiont NET on GitHub