[dokuwiki] Re: somewhat urgent question - hiding contents in _media

From: Christopher Smith <chris@xxxxxxxxxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Sun, 23 Mar 2008 19:06:58 +0000


On 23 Mar 2008, at 14:54, Tobias Eigen wrote:

Hi Andi,

It is now possible for unauthenticated people to access all the
contents of the _media path, including google. This is disastrous for
us as we have been using the wiki for internal discussions and
planning. We have namespaces set up to be public, and others set up to
be private. All content uploaded to the wiki, whatever the namespace,
is publicly visible.

Maybe I need to phrase the question another way: is it possible to
block direct access to the _media path, or to verify that you can only
access certain media if you are authenticated for that namespace?

Cheers,

Tobias


Its always been possible.  DW can't protect you from your webserver.

You have two main choices:

- prevent your webserver from directly serving the media files. Thestandard DW installation includes a ".htaccess" file denies directaccess to files in the data directory -- for webservers thatunderstand them and are configured to use them (e.g. apache).

- move your data directory outside your webroot.

More information can be found at http://wiki.splitbrain.org/wiki:security

- Chris
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Follow-Ups:

[dokuwiki] Re: somewhat urgent question - hiding contents in _media
From: Andreas Gohr

References:
- [dokuwiki] somewhat urgent question - hiding contents in _media
  - From: Tobias Eigen
- [dokuwiki] Re: somewhat urgent question - hiding contents in _media
  - From: Andreas Gohr
- [dokuwiki] Re: somewhat urgent question - hiding contents in _media
  - From: Tobias Eigen

[dokuwiki] Re: somewhat urgent question - hiding contents in _media

Other related posts: