[dokuwiki] Re: Security without .htaccess

  • From: Andreas Gohr <andi@xxxxxxxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Tue, 10 May 2005 22:35:01 +0200

Hi!

> > Maybe we should use the .php extension for all config files? Even if
> > they aren't PHP sourcefiles? This way their contents could be
> > protected by a line like this on top:
> > 
> > # <?php exit()?> 
> > 
> > Anyone wants to supply a patch?
> 
> Ok, as I need it, I'll give it a try. I've looked at it. Before going
> ahead, I would appreciate a review of the work spec proposal:
> 
> - minimal effort - only truly sensitive files will be "scriptified".

Okay, makes sense to me

> - The sensitive files are in subdir conf: acl.auth and user.auth. They
> will be renamed to acl.php and user.php.

correct. Or should they be named acl.conf.php and user.conf.php ?

> - Distribution versions (.dist) will be provided by renaming the
> existing ones and inserting the php exit hack.

fine

> - The renaming can be propagated in the source code with a
> 'darcs replace' command.

I never used it, but that should work.

> - No changes to the parsing and handling of the files will be
> required, as the php exit hack is embedded in a script comment.

correct

> - Automatic upgrade feature: in the init.php file, a provision will
> be added to upgrade existing installations automatically. Existing
> acl.auth and user.auth files will be copied to a php version with
> the php exit hack.

Sounds good but may have some permission problems if the directory isn't 
writable and the new files can't be created.

Andi

Other related posts: