[pmwiki-users] Fwd: uploads security vs PmWikiDraw

Tegan Dowling tmdowling at gmail.com
Wed May 2 16:23:48 CDT 2007 

On 5/2/07, Ciaran <ciaranj at gmail.com> wrote:
> On 5/2/07, Tegan Dowling <tmdowling at gmail.com> wrote:
>
> > On 5/2/07, Ciaran <ciaranj at gmail.com> wrote:
> > >
> > > On 4/30/07, Tegan Dowling <tmdowling at gmail.com> wrote:
> > > >
> > > >  Bump ... PM?  Anyone?
> > > >
> > > >
> > > > ---------- Forwarded message ----------
> > > > From: Tegan Dowling < tmdowling at gmail.com>
> > > >  Date: Apr 28, 2007 4:05 PM
> > > > Subject: uploads security vs PmWikiDraw
> > > > To: PmWiki Users <pmwiki-users at pmichaud.com >
> > > >
> > > > I typically secure uploads to my wikis by using the method, described
> on the page
> http://www.pmwiki.org/wiki/Cookbook/SecureAttachments,
> which uses an .htaccess file in the uploads/ directory, with the following
> two lines:
> > > >       Order Deny,Allow
> > > >       Deny from all
> > > >
> > > > and then the following in local/config.php:
> > > >         $EnableDirectDownload = 0;
> > > >
> > > >
> > > > I find this conflicts with the use of the (wonderful!) PmWikiDraw
> recipe.   http://www.pmwiki.org/wiki/Cookbook/PmWikiDraw.
> > > >
> > > > When I create a drawing
> > > > (named "drawingname" on a page in the wikigroup
> http://www.myaddress.com/uploads/ExampleGroupname),
> > > > the java drawing applet displays a warning:
> > > > Error:java.io.IOException:Server returned HTTP response code: 403 for
> URL:
> http://www.myaddress.com/uploads/ExampleGroupname/drawingname.draw
> > > >
> > > > And although I can create the drawing, and it does save and upload
> successfully, it won't display the image -- I guess because the recipe
> doesn't use the display syntax ?action=download&upname= file.ext ?
> > > >
> > > > If I change local/config.php: to
> > > >          $EnableDirectDownload = 1;
> > > >
> > > > and I remove the .htaccess file from the uploads/ directory, then the
> PmWikiDraw works ok.
> > > >
> > > > SO is there some way that I can have both?  Could I make
> $EnableDirectDownload = 1; conditional on the wikigroup I'm working in, AND
> somehow get the .htaccess file to be ignored there as well?
> > > >
> > > > Ideas?
> > >
> > > Eek! do you know if this directdownload option is newish, as I wasn't
> aware of it when I
> > > wrote the pmwikidraw scripts originally.  FWIW we're currently in the
> process of re-writing
> > > PmWikiDraw as a far more advanced AnyWikiDraw tool, with an intended
> PmWiki variant
> > > so it has to an extent been forgotten about [we intend to support the
> original format at
> > > least for initial loading of drawings!]
> > >  - ciaran
> >
> > Hi!  The PmWikiDraw tool is so terrific, I would love to be able to
> > enable it on all my wikis!
>
> Well soon you should be able, to, plus with versioning, svg support, and
> much much more ;)
>
> > The "$EnableDirectDownload = 0;" security option is not new, but it's
> > not the default configuration, either (although it is for my wikis).
>
> I'd not come across it before  !
>
> > If you look into how the option works, it seems to me that you may be
> > able to adjust your PmWikiDraw code so that it works in this
> > environment.  On these sites, attachments are displayed with
> > "
> http://address.com/Group/Page?action=download&upname=file.ext"
> (as
> > opposed to other configurations that display
> > "http://address.com/uploads/Group/file.ext "
>
> Right, I've enabled a work-around I think,  please try the new version I've
> put up on PmWiki.org for you !
> Let me know how it goes :)
> --
> - Ciaran

Hi, Ciaran:  Success! (mostly)

I restored the downloads protection as I normally have it, and now I
can create and edit PmWikiDraw files.  The only thing that's still odd
is that the java app does display an error message across the bottom
of its window when creating a new file.  The error doesn't prevent
file creation, so it's not critical, but it is odd:

When I create a drawing (named "drawingname" on a page in the
wikigroup http://www.myaddress.com/uploads/ExampleGroupname),
the java drawing applet displays a warning:
Error:java.io.FileNotFoundException:
http://www.myaddress.com?n=ExampleGroupname.ExamplePagename&action=download&upname=drawingname.draw

Thanks so much for this tool, and for your terrific responsiveness!

Tegan

More information about the pmwiki-users mailing list