[pmwiki-users] Disallow scripts in upload directories
Petko Yotov
5ko at 5ko.fr
Sun Apr 7 17:51:48 CDT 2013
Oliver Betz writes:
> I suggest to preconfigure $UploadBlacklist in sample-config.php,
> otherwise many users will not care about.
The sample-config.php file is meant to be read by newcomer admins so there
is a rule that it should be as simple as possible. For example, we don't use
$FarmD in the paths because it will make it more complex, and $FarmD is only
required for a WikiFarm which is usually done by more advanced admins.
By default, PmWiki doesn't even allow uploads so there is no danger with
multiple extensions. Moreover, when the uploads are enabled, there is a
default password, and normally only trusted users can upload. So I am not
sure if it is better to:
1. keep sample-config.php simple and clean, but without a critical
information for some (not all) servers, or
2. have it more crowded and more complex, with an information which is not
important for many (most) servers.
This information, critical for some servers, should be documented at
UploadsAdmin with the suggested solutions - .htaccess, $UploadBlacklist,
$EnableDirectDownload - in or near the first section about how to enable
uploads. Should it be in sample-config.php? I don't know.
> In addition to the already mentioned '.php', '.pl', '.cgi' I would
> include at least:
> .py, .htm, .shtm, .phtm, .pcgi, .asp, .js, .jsp, .sh
The files .htm and .js are normally not executed by the server, and are
accepted as allowed uploads. I have added the others in the documentation.
> If I understand the code correctly, a ".php" entry prevents also .php4
> etc., correct?
Yes.
> I think it would be a good idea to include also a warning in
> sample-config.php about disabling script execution by .htaccess if
> $EnableDirectDownload is set.
$EnableDirectDownload is always set, unless an admin sets it to 0. Also, we
don't have a single .htaccess working on all servers so once again, sample-
config.php is probably not the best place to document this.
I may be wrong though.
Petko
More information about the pmwiki-users
mailing list