[pmwiki-users] Disallow scripts in upload directories

Petko Yotov 5ko at 5ko.fr
Sun Apr 7 17:51:48 CDT 2013


Oliver Betz writes:
> I suggest to preconfigure $UploadBlacklist in sample-config.php,
> otherwise many users will not care about.

The sample-config.php file is meant to be read by newcomer admins so there  
is a rule that it should be as simple as possible. For example, we don't use  
$FarmD in the paths because it will make it more complex, and $FarmD is only  
required for a WikiFarm which is usually done by more advanced admins.

By default, PmWiki doesn't even allow uploads so there is no danger with  
multiple extensions. Moreover, when the uploads are enabled, there is a  
default password, and normally only trusted users can upload. So I am not  
sure if it is better to:

1. keep sample-config.php simple and clean, but without a critical  
information for some (not all) servers, or

2. have it more crowded and more complex, with an information which is not  
important for many (most) servers.

This information, critical for some servers, should be documented at  
UploadsAdmin with the suggested solutions - .htaccess, $UploadBlacklist,  
$EnableDirectDownload - in or near the first section about how to enable  
uploads. Should it be in sample-config.php? I don't know.

> In addition to the already mentioned '.php', '.pl', '.cgi' I would
> include at least:
> .py, .htm, .shtm, .phtm, .pcgi, .asp, .js, .jsp, .sh

The files .htm and .js are normally not executed by the server, and are  
accepted as allowed uploads. I have added the others in the documentation.

> If I understand the code correctly, a ".php" entry prevents also .php4
> etc., correct?

Yes.

> I think it would be a good idea to include also a warning in
> sample-config.php about disabling script execution by .htaccess if
> $EnableDirectDownload is set.

$EnableDirectDownload is always set, unless an admin sets it to 0. Also, we  
don't have a single .htaccess working on all servers so once again, sample- 
config.php is probably not the best place to document this.

I may be wrong though.

Petko




More information about the pmwiki-users mailing list