[pmwiki-users] protection against reading directories with truncated path

Patrick R. Michaud pmichaud at pobox.com
Wed Sep 14 08:44:45 CDT 2005


On Wed, Sep 14, 2005 at 12:46:00PM +0200, Stephan Schildberg wrote:
> How can I protect my "uploads directories" from outside access? You 
> know, you get a list of the directories  files on the screen.
> 
> This is what I do now, inserting an index.htm with that piece of html to 
> deviate to the next higher level of a PmWiki created page.

This is a good approach -- no problem.  As Hagan mentioned, you
can also set $EnableDirectDownload=0; and then block webserver
access to the directory entirely.

> The next question is, how I can keep my visitors from watching pages 
> which do not exist, aka what normally would be a 404 -error page.
> Here obviously my method (index.htm - deviation) above does not apply.

You can actually have PmWiki return a 404 for non-existent pages:

    if ($action == 'browse' && $pagename && !PageExists($pagename)) {
      header("HTTP/1.0 404 Not Found");
      print "Page Not Found\n";
      exit();
    }

> Last question in this context is how I can produce a standalone for a cd 
> (where I would renounce of search features and so on...). - Now I just 
> make a copy with with WinHTTrack, which makes not very clean URLs., but 
> at least its a simple solution. -

Off-and-on I've been working on an "HTML export" feature, where
one can take an existing PmWiki site and export it as a set of
static web pages (that actually have ".html" in the URL as well
as correct links).  I'll bump up the priority on this a bit,
as I need it for another application I'm working on.

> Will I be able to produce a standalone for a cd , after I protected all 
> holes for lurking at the the backyard of my site?

For standalone CD use, it might be worthwhile looking at the
StandAlone cookbook recipe as another mechanism for serving up
PmWiki pages.

Pm




More information about the pmwiki-users mailing list