[pmwiki-users] Fwd: uploads security vs PmWikiDraw

Ciaran ciaranj at gmail.com
Wed May 2 15:50:02 CDT 2007 

On 5/2/07, Tegan Dowling <tmdowling at gmail.com> wrote:
>
> On 5/2/07, Ciaran <ciaranj at gmail.com> wrote:
> >
> > On 4/30/07, Tegan Dowling <tmdowling at gmail.com> wrote:
> > >
> > >  Bump ... PM?  Anyone?
> > >
> > >
> > > ---------- Forwarded message ----------
> > > From: Tegan Dowling < tmdowling at gmail.com>
> > >  Date: Apr 28, 2007 4:05 PM
> > > Subject: uploads security vs PmWikiDraw
> > > To: PmWiki Users <pmwiki-users at pmichaud.com >
> > >
> > > I typically secure uploads to my wikis by using the method, described
> on the page  http://www.pmwiki.org/wiki/Cookbook/SecureAttachments, which
> uses an .htaccess file in the uploads/ directory, with the following two
> lines:
> > >       Order Deny,Allow
> > >       Deny from all
> > >
> > > and then the following in local/config.php:
> > >         $EnableDirectDownload = 0;
> > >
> > >
> > > I find this conflicts with the use of the (wonderful!) PmWikiDraw
> recipe.  http://www.pmwiki.org/wiki/Cookbook/PmWikiDraw.
> > >
> > > When I create a drawing
> > > (named "drawingname" on a page in the wikigroup
> http://www.myaddress.com/uploads/ExampleGroupname),
> > > the java drawing applet displays a warning:
> > > Error:java.io.IOException:Server returned HTTP response code: 403 for
> URL:    http://www.myaddress.com/uploads/ExampleGroupname/drawingname.draw
> > >
> > > And although I can create the drawing, and it does save and upload
> successfully, it won't display the image -- I guess because the recipe
> doesn't use the display syntax ?action=download&upname= file.ext ?
> > >
> > > If I change local/config.php: to
> > >          $EnableDirectDownload = 1;
> > >
> > > and I remove the .htaccess file from the uploads/ directory, then the
> PmWikiDraw works ok.
> > >
> > > SO is there some way that I can have both?  Could I make
> $EnableDirectDownload = 1; conditional on the wikigroup I'm working in, AND
> somehow get the .htaccess file to be ignored there as well?
> > >
> > > Ideas?
> >
> > Eek! do you know if this directdownload option is newish, as I wasn't
> aware of it when I
> > wrote the pmwikidraw scripts originally.  FWIW we're currently in the
> process of re-writing
> > PmWikiDraw as a far more advanced AnyWikiDraw tool, with an intended
> PmWiki variant
> > so it has to an extent been forgotten about [we intend to support the
> original format at
> > least for initial loading of drawings!]
> >  - ciaran
>
> Hi!  The PmWikiDraw tool is so terrific, I would love to be able to
> enable it on all my wikis!


Well soon you should be able, to, plus with versioning, svg support, and
much much more ;)

The "$EnableDirectDownload = 0;" security option is not new, but it's
> not the default configuration, either (although it is for my wikis).


I'd not come across it before  !

If you look into how the option works, it seems to me that you may be
> able to adjust your PmWikiDraw code so that it works in this
> environment.  On these sites, attachments are displayed with
> "http://address.com/Group/Page?action=download&upname=file.ext" (as
> opposed to other configurations that display
> "http://address.com/uploads/Group/file.ext"


Right, I've enabled a work-around I think,  please try the new version I've
put up on PmWiki.org for you !
Let me know how it goes :)

I also made a change to make it work in Java 6 runtimes, which was a little
random, but sorted now :)
Take care
- Ciaran

I've just been hoping to find a work-around that would let me revert
> to the regular configuration on pages/groups where the PmWikiDraw is
> either in use or enabled, and I'm sure I could switch to a setting of
> $EnableDirectDownload = 1; for such pages/groups, but I don't know of
> any way to get the wiki to disregard the .htaccess file in the uploads
> directory when rendering attachments to those pages/groups.
>
> Does anyone know of anything I could put in the .htaccess file itself,
> that would get it ignored for certain pages or groups?
>



-- 
- Ciaran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20070502/192c57e1/attachment.html

More information about the pmwiki-users mailing list