[pmwiki-users] Security for uploaded files (continued)

Tegan Dowling tmdowling at gmail.com
Wed Dec 21 11:00:21 CST 2005


In the uploads/ directory of one of my sites, I have a .htaccess file
containing
   Order Deny,Allow
   Deny from all
And I have $EnableDirectDownload=0; in the local/config.php.

With one exception (or set of exceptions), this works excellently for making
attachments behave the way I would like.  Now any file that is uploaded to a
wikigroup inherits that wikigroup's (read) protection (if there is any) - so
uploads to *unprotected* groups are also unprotected.

The single (known to me) exception to this is the case where I want to
specify a background image for some part of the site (header, body, etc) in
the skin's .css file via a line like
background: url("/uploads/Site/image.jpg");

With this setup, the background image becomes unviewable when I'm protecting
uploads with the .htaccess file and $EnableDirectDownload=0;. I'm guessing
this is because the .htaccess file is preventing the image from being viewed
directly, while the fact that the image is pointed to from the .css file
instead of via "Attach:" markup prevents the Site wikigroup's security
settings from operating on it - is that right?

I'd like to try to understand why such an image doesn't display, and whether
there is a way to fix it while still using the .htaccess and
$EnableDirectDownload=0;
security method, since I'd like to make this method of securing uploaded
files the default configuration for my wikis.

Any discussion or suggestions?

Thanks!

Tegan Dowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20051221/e17812a2/attachment.html 


More information about the pmwiki-users mailing list