[pmwiki-users] How use lowercase in Group Names

Waylan Limberg waylan at gmail.com
Wed Sep 28 15:54:20 CDT 2005


On 9/28/05, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Wed, Sep 28, 2005 at 10:06:12PM +0200, Joachim Durchholz wrote:
> > Waylan Limberg schrieb:
> > >RewriteCond %{REQUEST_FILENAME} !-f
> > >RewriteRule ^(.*)$ phwiki.php?n=$1 [QSA,L]
> > >
> > >The key is the "!-f" part which essentially means: 'If the requested
> > >file name does not exist use this rewrite rule, otherwise proceed as
> > >normal'.
> >
> > Hmm... I see pros and cons for that.
> >
> > On the pro side, you can structure your namespace simply by creating the
> > appropriate files. Easy and convenient.
> >
> > On the con side:
> >
> > 1. This gives access to all directories, even those that are supposed to
> > be restricted... think wiki.d/Site.SideBar, which then anybody could
> > download including passwords and all other attributes.
>
> Surely the existence of the "!-f" doesn't cause Apache to bypass any
> .htaccess files or other access controls that may be in place
> (such as the one that is already in wiki.d/.htaccess).
>
> As I read the above rewrite rule, it says to rewrite
> the url only if the url *doesn't* correspond to a file in the
> filesystem.  If the url does correspond to a file, then the rewrite
> rule doesn't fire, and execution continues on as if the rewrite rule
> wasn't present.  In this sense it's no more or less secure than the
> other CleanURL approaches.

Yeah, my thought exactly. If your relying on a rewrite rule for
securtiy, you're in for some problems. Apache offers other messures
for this, as PmWiki makes use of. The question is: What does Apache do
if the check for existance of a file returns permission
denied/forbidden. Does the Apache error page get returned (which could
be overriden with another line in .htaccess) or does it run the
rewrite rule? I gotta run, so I doen't have time to test it now. Maybe
later.
>
> > Passwords wouldn't be *that* large a problem if they are stored in
> > encrypted form (I'm not sure about that), but you get the drift, I think
> > :-).
>
> Passwords in PmWiki are always stored in encrypted form.
>
> Pm
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
>


--
----
Waylan Limberg
waylan at gmail.com




More information about the pmwiki-users mailing list