On 2/6/2011 7:17 AM, Michael Hamann wrote:
Thanks for the fix. I'm aware of the access issues and the this in fact is the only way I could get the FCKeditor to access media files. There is .htaccess protection but, in addition, the fckgLite implementation of the FCKeditor's file browser is fully ACL-compliant. So, unless you have used fckgLite you can't know whether your security warning is accurate. Please do so before jumping to conclusions. And what are you referring to as the 'non-safe' version?Hi, Excerpts from Myron Turner's message of 2011-01-28 14:19:23 +0100:Not sure what the exact procedure is for requesting this kind of change. But I posted it to the bug tracker.The bug tracker is a good place, discussing it here, too. I've applied your patch, thank you for fixing that problem. Nevertheless I think it is a bad idea to link to the media directory (or anything inside data/) from a plugin because this basically disables the complete ACL read-protection system for media files. There should be a really big warning on the page of your plugin that your plugin disables ACLs for media files. I've added a security warning on the plugin page on dokuwiki.org. You also can't rely on .htaccess as people can use webservers that don't support .htaccess. From what I've seen your approach also doesn't work in farm setups and when the data directory has been moved to another place. Michael
Myron -- Myron Turner http://mturner.org/ http://mturner.org/fckgLite http://www.mturner.org/dwfck/doku.php http://www.room535.org -- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist