[pmwiki-users] Re: Request for changing the default upload policy

H. Fox haganfox at users.sourceforge.net
Thu Dec 29 15:49:09 CST 2005


On 12/29/05, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Wed, Dec 28, 2005 at 07:18:55PM +0100, Mikael Nilsson wrote:
> > ons 2005-12-28 klockan 11:55 -0600 skrev Patrick R. Michaud:
> > > Another possibility is to simply create scripts/secure.php, and
> > > then someone wanting high security can do:
> > >
> > >     include_once('scripts/secure.php');
> > >
> > > Then we can stay with just a single sample-config.php file,
> > > and the sample include line can go at or near the top of the
> > > script (with appropriate explanation of what to do with it).
> >
> > The major problem with this is that it's not really a pure add-on, but
> > it *modifies* the settings of a number of configuration variables. So
> > unless you *don't* set these variables later in config.php, this
> > actually does nothing.
>
> I'm afraid I don't see the problem here.  With a scripts/secure.php
> script, a site's config file ends up looking like:
>
>     <?php if (!defined('PmWiki')) exit();
>        include_once("$FarmD/scripts/secure.php");
>
>        # Other configuration settings go here...
>
> Essentially, secure.php will set variables to default to higher
> security, just as if they had been originally set that way by PmWiki.
> The config.php file can of course then override a setting made
> by secure.php, but that's entirely up to the admin.
>
> The other big advantage of this approach is that admins don't have
> to review the contents of sample-secure.php with each upgrade and
> fold changes into their config.php -- they automatically get any
> new security settings as part of the upgrade.

This is a fantastic idea, notably not mutually exclusive with having
multiple sample-config.php files.

> > Shipping an additional sample config has the advantage that it's 100%
> > clear what happens.
>
> I don't see that using a separate secure.php script makes it
> any less clear; one can just as easily read scripts/secure.php
> as they can a sample-secure.php file (assuming both are well
> commented).  And if someone doesn't want to do the include,
> there's no problem with simply copying the contents of
> scripts/secure.php into local/config.php and then modifying it
> there.




More information about the pmwiki-users mailing list