[dokuwiki] Re: Security without .htaccess
- From: Jan Decaluwe <jan@xxxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Wed, 11 May 2005 16:01:38 +0200
Andreas Gohr wrote:
Maybe we should use the .php extension for all config files? Even if
they aren't PHP sourcefiles? This way their contents could be
protected by a line like this on top:
# <?php exit()?>
Anyone wants to supply a patch?
Ok, as I need it, I'll give it a try. I've looked at it. Before going
ahead, I would appreciate a review of the work spec proposal:
- minimal effort - only truly sensitive files will be "scriptified".
Okay, makes sense to me
- The sensitive files are in subdir conf: acl.auth and user.auth. They
will be renamed to acl.php and user.php.
correct. Or should they be named acl.conf.php and user.conf.php ?
- Distribution versions (.dist) will be provided by renaming the
existing ones and inserting the php exit hack.
fine
- The renaming can be propagated in the source code with a
'darcs replace' command.
I never used it, but that should work.
- No changes to the parsing and handling of the files will be
required, as the php exit hack is embedded in a script comment.
correct
- Automatic upgrade feature: in the init.php file, a provision will
be added to upgrade existing installations automatically. Existing
acl.auth and user.auth files will be copied to a php version with
the php exit hack.
Sounds good but may have some permission problems if the directory isn't writable and the new files can't be created.
Good news: I have the patch, along the lines discussed earlier.
Bad news: it doesn't work :-)
It turns out that lines starting with '#' are *also*
comments in php (Grr!). So the php code has to be
uncommented - and we have to be careful with the
parsing of the files.
I'm pausing for a minute to see what the least messy
solution could be. Suggestions welcome.
Jan
--
Jan Decaluwe - Resources bvba - http://jandecaluwe.com
Losbergenlaan 16, B-3010 Leuven, Belgium
Using Python as a hardware description language:
http://jandecaluwe.com/Tools/MyHDL/Overview.html
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
- Follow-Ups:
- [dokuwiki] Re: Security without .htaccess
- From: Andreas Gohr
- References:
- [dokuwiki] Security without .htaccess
- From: Jan Decaluwe
- [dokuwiki] Re: Security without .htaccess
- From: Andreas Gohr
- [dokuwiki] Re: Security without .htaccess
- From: Jan Decaluwe
- [dokuwiki] Re: Security without .htaccess
- From: Andreas Gohr
Other related posts:
- » [dokuwiki] Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
- » [dokuwiki] Re: Security without .htaccess
Maybe we should use the .php extension for all config files? Even if they aren't PHP sourcefiles? This way their contents could be protected by a line like this on top:
# <?php exit()?>
Anyone wants to supply a patch?
Ok, as I need it, I'll give it a try. I've looked at it. Before going ahead, I would appreciate a review of the work spec proposal:
- minimal effort - only truly sensitive files will be "scriptified".
Okay, makes sense to me
- The sensitive files are in subdir conf: acl.auth and user.auth. They will be renamed to acl.php and user.php.
correct. Or should they be named acl.conf.php and user.conf.php ?
- Distribution versions (.dist) will be provided by renaming the existing ones and inserting the php exit hack.
fine
- The renaming can be propagated in the source code with a 'darcs replace' command.
I never used it, but that should work.
- No changes to the parsing and handling of the files will be required, as the php exit hack is embedded in a script comment.
correct
- Automatic upgrade feature: in the init.php file, a provision will be added to upgrade existing installations automatically. Existing acl.auth and user.auth files will be copied to a php version with the php exit hack.
Sounds good but may have some permission problems if the directory isn't writable and the new files can't be created.
Good news: I have the patch, along the lines discussed earlier. Bad news: it doesn't work :-)
- [dokuwiki] Re: Security without .htaccess
- From: Andreas Gohr
- [dokuwiki] Security without .htaccess
- From: Jan Decaluwe
- [dokuwiki] Re: Security without .htaccess
- From: Andreas Gohr
- [dokuwiki] Re: Security without .htaccess
- From: Jan Decaluwe
- [dokuwiki] Re: Security without .htaccess
- From: Andreas Gohr