[dokuwiki] Re: Security details on installation

Doug Essinger-Hileman wrote:

On 28 Mar 2007 at 11:43, Doug Essinger-Hileman wrote:


I know, I'm talking to myself, but this will probably help clarify a
thing or two.
Okay, I asked a question a couple of days ago. I've not received an answer. Is this because the question is offtopic for this list? Or does no one know the answer? If offtopic, please accept my apologies, but also, please help me out by sending me in the right direction. 

Doug
If prepend isn't available to you, you could put the prepend details into the index.php file. Also include 

define('DOKU_SCRIPT','index.php');

and change the redirect line -- header("Location: doku.php"); -- to

include('doku.php');
(then backup index.php so you have a copy in case it gets clobbered in an upgrade) 

The above is the method I use to run a debug wrapper around DokuWiki.
For security concerns with allowoverides. Only allow options and for options use the minimum to support php configuration variables and target them at the particular directory/virtual host which requires the .htaccess file.
Its not clear from the apache and php documentation what the minimum option setting required to ensure php values are processed. If you can get away with Options IncludesNoExec, it should be relatively harmless. Conceivably you could configure the include handler to only work with a particular file extension (e.g. .shtml) and then use allow/deny settings in the server or virtual host configuration to prevent access to files with that extension. In effect you would be allowing options but only for php settings. Obviously, there will be security implications for your php environment if there are particular settings that this change would expose to undesirable alterations. 


Cheers,

Chris
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: