19942: Files that should not be present on a production server

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

19942	Bug reports	Installation	public	2025-01-24 19:13	2025-01-27 11:42

Reporter	riqcles	Assigned To
Priority	none	Severity	minor
Status	new	Resolution	open
Product Version	6.6.x

Summary	19942: Files that should not be present on a production server
Description	Some files that are related to tests, present in LimeSurvey, should not be present on the Production environment (even if access is prohibited with the rights on the files). There are also readme that could be removed. This is the version downloaded from the site https://community.limesurvey.org/ (not the Git one) Is it possible to have a list of files that should not be present in the Front Office, in the installation wiki? Examples of files and instructions: limesurvey/docs/swagger/ limesurvey/modules/admin/HelloWord There are surely others, but I don't know them all.
Steps To Reproduce	Steps to reproduce Download the version from the community site unzip the file Expected result the test files, should not be present. Actual result Test files are present
Tags	No tags attached.

Bug heat	6
Complete LimeSurvey version number (& build)	Limesurvey 6.6.6
I will donate to the project if issue is resolved	No
Browser	Firefox / Edge
Database type & version	Postgresql 17
Server OS (if known)	Rocky
Webserver software & version (if known)	Apache 2.2
PHP Version	php 8.2

User List	DenisChenu

c_schmitz 2025-01-27 10:04 administrator ~81906	Why do you think it is a problem? See also https://www.limesurvey.org/manual/Installation_security_hints

riqcles 2025-01-27 11:42 reporter ~81908	Thanks for the link for the settings to set up. We have applied most of the settings on this page. I am basing this on the conclusions of the intrusion report which indicates that In addition to giving indications on the technologies used, it should be noted that the test pages are not necessarily developed by taking into account the security aspect. Leaving them on a production server therefore unnecessarily increases its exposure. We therefore think that this is indeed a problem. So, these files are indeed necessary for development, but we could delete them / make them inaccessible for production. The swagger is quite impressive (the features do not work on my environment, with the restrictions in place) and allows a lot of features. It is functional for the demo environment for example: https://demo.limesurvey.org/docs/swagger/

Date Modified	Username	Field	Change
2025-01-24 19:13	riqcles	New Issue
2025-01-27 08:24	DenisChenu	Issue Monitored: DenisChenu
2025-01-27 08:24	DenisChenu	Bug heat	0 => 2
2025-01-27 10:04	c_schmitz	Note Added: 81906
2025-01-27 10:04	c_schmitz	Bug heat	2 => 4
2025-01-27 11:42	riqcles	Note Added: 81908
2025-01-27 11:42	riqcles	Bug heat	4 => 6