[dokuwiki] Re: Security details on installation
- From: Chris Smith <chris@xxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Fri, 30 Mar 2007 14:24:12 +0100
Doug Essinger-Hileman wrote:
On 28 Mar 2007 at 11:43, Doug Essinger-Hileman wrote:
I know, I'm talking to myself, but this will probably help clarify a
thing or two.
Okay, I asked a question a couple of days ago. I've not received an
answer. Is this because the question is offtopic for this list? Or
does no one know the answer? If offtopic, please accept my apologies,
but also, please help me out by sending me in the right direction.
Doug
If prepend isn't available to you, you could put the prepend details
into the index.php file. Also include
define('DOKU_SCRIPT','index.php');
and change the redirect line -- header("Location: doku.php"); -- to
include('doku.php');
(then backup index.php so you have a copy in case it gets clobbered in
an upgrade)
The above is the method I use to run a debug wrapper around DokuWiki.
For security concerns with allowoverides. Only allow options and for
options use the minimum to support php configuration variables and
target them at the particular directory/virtual host which requires the
.htaccess file.
Its not clear from the apache and php documentation what the minimum
option setting required to ensure php values are processed. If you can
get away with Options IncludesNoExec, it should be relatively harmless.
Conceivably you could configure the include handler to only work with a
particular file extension (e.g. .shtml) and then use allow/deny settings
in the server or virtual host configuration to prevent access to files
with that extension. In effect you would be allowing options but only
for php settings. Obviously, there will be security implications for
your php environment if there are particular settings that this change
would expose to undesirable alterations.
Cheers,
Chris
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts:
