[Pmwiki-users] more thoughts on .htaccess

Patrick R. Michaud pmichaud
Tue Dec 7 09:41:29 CST 2004

On Tue, Dec 07, 2004 at 11:26:39AM -0500, Neil Herber wrote:
> Given that:
> * the risk is relatively small
> * not all servers support .htaccess
> * Apache 2 by default disables .htaccess
> * we want PmWiki to be easy to install
> * making .htaccess in "local/" part of the default PmWiki install requires a
>         note to make sure that future upgrades don't clobber it
> I suggest that .htaccess be removed from the default install and that the 
> page PmWiki/Security have an entry added that describes how to install and 
> activate it on Apache or other servers that use .htaccess. 

Yes, but also given that:

* the cost of having the .htaccess distributed in local/ is relatively small
* very few people will ever have a need to modify local/.htaccess 
  (i.e., upgrades aren't really an issue here)
* those who do need different local/.htaccess settings can easily work
  around it (e.g., by placing such settings in httpd.conf)
* the existence of the file invites inspection and curiosity, which can
  lead an admin to take a look at PmWiki.Security if it's important
* having local/.htaccess installed by default helps a large group of 
  people at a very minor cost to a very small minority of admins (i.e.,
  those who need a custom .htaccess file in local/ and can't easily achieve
  the results any other way)

I think it's worth leaving it in the distribution.  

If someone comes across a real case in practice where having the .htaccess
in the distribution is greatly complicating site configuration or upgrading
(i.e., in a way that isn't easily worked around), then I'll see about
removing it from the distribution.  Otherwise, I see only benefit and
little cost to having it there.

But it is definitely worth having a fuller description of these (and
related) issues in PmWiki.Security, with an appropriate reference in the
.htaccess file.


More information about the pmwiki-users mailing list