[Pmwiki-users] pmwiki-2.0.beta7 released
Patrick R. Michaud
pmichaud
Wed Dec 8 10:07:26 CST 2004
On Wed, Dec 08, 2004 at 11:51:49AM -0500, Neil Herber wrote:
> At 2004-12-08 08:56 AM -0700, Patrick R. Michaud is rumored to have said:
> >This release also:
> >
> > * fixes up the .htaccess files that are placed in local/ and wiki.d/
>
> ?????
> How does an .htaccess file get into wiki.d/? The tarball does not have a
> wiki.d/ directory (as expected). Is this a scripted action or just a typo?
Scripted. Unlike the local/ directory, PmWiki *does* expect to be able
to write things into wiki.d/ and so it creates a default wiki.d/.htaccess
file if one doesn't exist. This is to prevent people from doing things
like
http://www.pmwiki.org/pmwiki/wiki.d/Main.Sandbox
and viewing the contents of the wiki.d files directly. Granted this
.htaccess file doesn't solve the problem for people on IIS or where
.htaccess isn't enabled, but it handles the great majority of installations
without having to think about it too much.
Anticipating the response that some may make that this approach isn't
sufficient and that PmWiki's default installation/setup procedure should
always result in a completely secure setup for every possible webserver
configuration-- I simply invite you to write one and submit it for
inclusion in PmWiki. Remember it needs to be accessible to the average
PmWiki administrator, who often has no idea what a .htaccess file is,
what webserver they may be running, or how it's configured.
At some point I think it'd be nice to have a "diagnostics" script that
analyzes an installation and identifies places where the configuration
might be tuned for better security/performance. A couple of times
I've started to write such scripts, but they quickly become very involved
and system configuration specific and it's hard for me to get access
to a wide enough variety of platforms to test them on.
Pm
More information about the pmwiki-users
mailing list