[dokuwiki] Re: Security without .htaccess

  • From: Jan Decaluwe <jan@xxxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Wed, 11 May 2005 16:01:38 +0200

Andreas Gohr wrote:

Maybe we should use the .php extension for all config files? Even if
they aren't PHP sourcefiles? This way their contents could be
protected by a line like this on top:

# <?php exit()?>

Anyone wants to supply a patch?

Ok, as I need it, I'll give it a try. I've looked at it. Before going ahead, I would appreciate a review of the work spec proposal:

- minimal effort - only truly sensitive files will be "scriptified".

Okay, makes sense to me

- The sensitive files are in subdir conf: acl.auth and user.auth. They
will be renamed to acl.php and user.php.

correct. Or should they be named acl.conf.php and user.conf.php ?

- Distribution versions (.dist) will be provided by renaming the
existing ones and inserting the php exit hack.


- The renaming can be propagated in the source code with a
'darcs replace' command.

I never used it, but that should work.

- No changes to the parsing and handling of the files will be
required, as the php exit hack is embedded in a script comment.


- Automatic upgrade feature: in the init.php file, a provision will
be added to upgrade existing installations automatically. Existing
acl.auth and user.auth files will be copied to a php version with
the php exit hack.

Sounds good but may have some permission problems if the directory isn't writable and the new files can't be created.

Good news: I have the patch, along the lines discussed earlier. Bad news: it doesn't work :-)

It turns out that lines starting with '#' are *also*
comments in php (Grr!). So the php code has to be
uncommented - and we have to be careful with the
parsing of the files.

I'm pausing for a minute to see what the least messy
solution could be. Suggestions welcome.


Jan Decaluwe - Resources bvba - http://jandecaluwe.com
Losbergenlaan 16, B-3010 Leuven, Belgium
    Using Python as a hardware description language:
DokuWiki mailing list - more info at

Other related posts: