|
Cookbook /
WebServerSecuritySummary: How to use ".htaccess" to make PmWiki more secure
Version:
Prerequisites:
Status:
Maintainer: NeilHerber
Categories: Security, Administration
QuestionHow can I use ".htaccess" to make PmWiki more secure? AnswerThe Apache server (and other compatible web servers) can make use of per-directory ".htaccess" files to control access. For PmWiki, there is a small but finite danger that scripts (configuration files) in the "local/" or "cookbook/" directories could be used to compromise your server. Most configuration files simply set values for variables and may include a few other scripts. But if a configuration file manipulates files or makes calls to the operating system (or includes another script that does). Any risk from the configuration files can be virtually eliminated by making sure the beginning of the file reads... <?php if (!defined('PmWiki')) exit();
As an extra precaution, you may wish to include an ".htaccess" file in "local/" and "cookbook/". The file should read: --- more text here --- In the Apache 2 ".htaccess" tutorial (http://httpd.apache.org/docs-2.0/howto/htaccess.html) they suggest that to improve performance, all the configuration done using per-directory .htaccess files should be moved into the main httpd.conf file. However, if you do not have access to httpd.conf, the only choice you have is to use .htaccess. There is also some debate as to how much of a performance hit .htaccess processing creates. |