Updated to 9.3.5 from 9.3.4, in the ***** folder is the newest version and it actively uses all the files out of that folder. Doesn’t concrete copy/move the updated files to where they are supposed to go within the cms instead of leaving them within the ******* folder?
To me, this seems to be a security risk for it to be constantly operating out of this folder instead of the native location where it would normally operate from.
There are a few ways that Concrete can be updated, including replacing the core concrete folder with a new one.
But when you use the more automatic updater, it put new copies of the core into the /updates folder, and then that becomes the new core location.
I don’t believe there has been a time where the core has been replaced automatically.
But there’s zero difference in security between running out of /concrete versus running out of /updates/concrete_xxx. Both locations are public, and all the PHP files of the core have a line at the top of them that prevents them from loading directly.
The only security risk I can attach to this involves the meta tags that were removed. Generator I believe it was. To hide the cms version. But if you look at the page source of a concrete site running out of the updates folder the version sticks out like a sore thumb anyway…
I never have been concerned with whether someone can see if I’m using concrete (or any other cms for that matter) via looking at page source, that is always a given regardless of what cms a person may be using, or if they are doing it all by hand/theirself. My only concern was with certain files being executed arbitrarily, but since they can not be loaded directly, that should not be a concern for me at this point .