[dokuwiki] Re: Security without .htaccess

  • From: Jan Decaluwe <jan@xxxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Tue, 10 May 2005 21:53:58 +0200

Andreas Gohr wrote:

Hi!


The easiest workaround is to put blank index.html files
in directories whose content should be "hidden".


Well a blank index.html just avoids directory browsing - one could still
access the files directly


Given the openness of the source code, and wiki content,
this seems like overkill.


Correct as long as all your content is viewable in the wiki there is no
point of hiding the data files


I think it's sufficient to protect user data by putting
a blank index.html file in the 'conf' directory.


Again this protects you from directory browsing only.

Right. Of course - this is definitely not acceptable.

Maybe we should use the .php extension for all config files? Even if
they aren't PHP sourcefiles? This way their contents could be protected
by a line like this on top:

# <?php exit()?>

Anyone wants to supply a patch?

Ok, as I need it, I'll give it a try. I've looked at it. Before going ahead, I would appreciate a review of the work spec proposal:

- minimal effort - only truly sensitive files will be "scriptified".
- The sensitive files are in subdir conf: acl.auth and user.auth. They
will be renamed to acl.php and user.php.
- Distribution versions (.dist) will be provided by renaming the
existing ones and inserting the php exit hack.
- The renaming can be propagated in the source code with a
'darcs replace' command.
- No changes to the parsing and handling of the files will be required,
as the php exit hack is embedded in a script comment.
- Automatic upgrade feature: in the init.php file, a provision will
be added to upgrade existing installations automatically. Existing
acl.auth and user.auth files will be copied to a php version with
the php exit hack.

Regards,

Jan

--
Jan Decaluwe - Resources bvba - http://jandecaluwe.com
Losbergenlaan 16, B-3010 Leuven, Belgium
    Using Python as a hardware description language:
    http://jandecaluwe.com/Tools/MyHDL/Overview.html
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: