[dokuwiki] Re: Security without .htaccess

Andreas Gohr wrote:


Maybe we should use the .php extension for all config files? Even if
they aren't PHP sourcefiles? This way their contents could be
protected by a line like this on top:

# <?php exit()?>

Anyone wants to supply a patch?

Ok, as I need it, I'll give it a try. I've looked at it. Before going ahead, I would appreciate a review of the work spec proposal:

- minimal effort - only truly sensitive files will be "scriptified".


Okay, makes sense to me


- The sensitive files are in subdir conf: acl.auth and user.auth. They
will be renamed to acl.php and user.php.


correct. Or should they be named acl.conf.php and user.conf.php ?


- Distribution versions (.dist) will be provided by renaming the
existing ones and inserting the php exit hack.


fine


- The renaming can be propagated in the source code with a
'darcs replace' command.


I never used it, but that should work.


- No changes to the parsing and handling of the files will be
required, as the php exit hack is embedded in a script comment.


correct


- Automatic upgrade feature: in the init.php file, a provision will
be added to upgrade existing installations automatically. Existing
acl.auth and user.auth files will be copied to a php version with
the php exit hack.


Sounds good but may have some permission problems if the directory isn't writable and the new files can't be created.

Good news: I have the patch, along the lines discussed earlier. Bad news: it doesn't work :-)

It turns out that lines starting with '#' are *also*
comments in php (Grr!). So the php code has to be
uncommented - and we have to be careful with the
parsing of the files.

I'm pausing for a minute to see what the least messy
solution could be. Suggestions welcome.

Jan

--
Jan Decaluwe - Resources bvba - http://jandecaluwe.com
Losbergenlaan 16, B-3010 Leuven, Belgium
    Using Python as a hardware description language:
    http://jandecaluwe.com/Tools/MyHDL/Overview.html
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: