[pmwiki-users] Protect uploaded files from direct access?
    Patrick R. Michaud 
    pmichaud at pobox.com
       
    Tue Jun  5 09:06:36 CDT 2007
    
    
  
On Tue, Jun 05, 2007 at 03:58:27PM +0200, martin at kerz.org wrote:
> I'm looking for a (preferably automated) solution to completely  
> protect uploaded files from external access. If I upload a file  
> whithin a group that is protected with a password, the file still can  
> be accessed externally using the direct path, i.e.  
> http://yourhost/pmwiki/uploads/Secretgroup/file.ext
> 
> Setting $EnableDirectDownload=0 does only restrict the access from  
> within the wiki.
> 
> A friend of mine suggested to control the access to the subfolder  
> using a .htaccess file. Is there a solution based on that method that  
> is known to work?
> 
> Moreover, I would love to have an automated protection. Is there a  
> recipe for pmwiki to restrict direct acces to uploaded files?
Try copying the .htaccess file from your wiki.d/ directory into
the uploads/ directory.  It should read
    Order Deny,Allow
    Deny from all
This tells the webserver to deny all direct access to files in the 
uploads/ directory.  Since PmWiki doesn't use the webserver to
access the files in uploads/, it will still be able to respond to
?action=download requests (after checking authorizations).
Another possibility is to move uploads/ somewhere completely outside
of the webserver tree, and use $UploadDir to point to this new location:
    $UploadDir = '/path/to/uploads';
Pm
    
    
More information about the pmwiki-users
mailing list