[dokuwiki] Re: plugin deletion

From: Myron Turner <turnermm02@xxxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Sun, 06 Feb 2011 09:05:02 -0600

On 2/6/2011 7:17 AM, Michael Hamann wrote:

Hi,

Excerpts from Myron Turner's message of 2011-01-28 14:19:23 +0100:

Not sure what the exact procedure is for requesting this kind of change.
   But I posted it to the bug tracker.


The bug tracker is a good place, discussing it here, too. I've applied
your patch, thank you for fixing that problem. Nevertheless I think it
is a bad idea to link to the media directory (or anything inside data/)
from a plugin because this basically disables the complete ACL
read-protection system for media files. There should be a really big
warning on the page of your plugin that your plugin disables ACLs for
media files. I've added a security warning on the plugin page on
dokuwiki.org. You also can't rely on .htaccess as people can use
webservers that don't support .htaccess.  From what I've seen your
approach also doesn't work in farm setups and when the data directory
has been moved to another place.

Michael

Thanks for the fix. I'm aware of the access issues and the this in factis the only way I could get the FCKeditor to access media files. Thereis .htaccess protection but, in addition, the fckgLite implementation ofthe FCKeditor's file browser is fully ACL-compliant. So, unless youhave used fckgLite you can't know whether your security warning isaccurate. Please do so before jumping to conclusions. And what are youreferring to as the 'non-safe' version?


Myron


--
Myron Turner
http://mturner.org/
http://mturner.org/fckgLite
http://www.mturner.org/dwfck/doku.php
http://www.room535.org


--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

Follow-Ups:
- [dokuwiki] Re: plugin deletion
  - From: Michael Hamann

References:
- [dokuwiki] Re: plugin deletion
  - From: Michael Hamann

[dokuwiki] Re: plugin deletion

Other related posts: