From 823ec815d4fc9625d6fa3553ad03e9f2ff737659 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 14 Mar 2010 14:58:13 -0400 Subject: Add a include setting, which can be used to make ikiwiki process wiki source files, such as .htaccess, that would normally be skipped for security or other reasons. Closes: #447267 (Thanks to Aaron Wilson for the original patch.) --- doc/tips/htaccess_file.mdwn | 30 ++++++++++++++++++++++++++++++ doc/todo/enable-htaccess-files.mdwn | 5 +++++ doc/usage.mdwn | 6 ++++++ 3 files changed, 41 insertions(+) create mode 100644 doc/tips/htaccess_file.mdwn (limited to 'doc') diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn new file mode 100644 index 000000000..5266eba41 --- /dev/null +++ b/doc/tips/htaccess_file.mdwn @@ -0,0 +1,30 @@ +If you try to include a `.htaccess` file in your wiki's source, in order to +configure the web server, you'll find that ikiwiki excludes it from +processing. In fact, ikiwiki excludes any file starting with a dot, as well +as a lot of other files, for good security reasons. + +You can tell ikiwiki not to exclude the .htaccess file by adding this to +your setup file: + + include => '^\.htaccess$', + +Caution! Before you do that, please think for a minute about who can edit +your wiki. Are attachment uploads enabled? Can users commit changes +directly to the version control system? Do you trust everyone who can +make a change to not do Bad Things with the htaccess file? Do you trust +everyone who *might* be able to make a change in the future? Note that a +determined attacker who can write to the htaccess file can probably get a +shell on your web server. + +If any of these questions have given you pause, I suggest you find a +different way to configure the web server. One way is to not put the +`.htaccess` file under ikiwiki's control, and just manually install it +in the destdir. + +[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html) +says +> In general, you should never use .htaccess files unless you don't have +> access to the main server configuration file. +This is good advice -- if you can edit apache's main configuration files, +then you should not use a htaccess file. +--[[Joey]] diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn index 412cb5eba..c895db75d 100644 --- a/doc/todo/enable-htaccess-files.mdwn +++ b/doc/todo/enable-htaccess-files.mdwn @@ -61,3 +61,8 @@ It should be off by default of course. --Max +1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]] > I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]] + +--- + +[[done]], you can use the `include` setting to override the default +excludes now. Please use extreme caution when doing so. --[[Joey]] diff --git a/doc/usage.mdwn b/doc/usage.mdwn index a105d7e59..f735170f0 100644 --- a/doc/usage.mdwn +++ b/doc/usage.mdwn @@ -234,6 +234,12 @@ also be configured using a setup file. Specifies a rexexp of source files to exclude from processing. May be specified multiple times to add to exclude list. +* --include regexp + + Specifies a rexexp of source files, that would normally be excluded, + but that you wish to include in processing. + May be specified multiple times to add to include list. + * --adminuser name Specifies a username of a user (or, if openid is enabled, an openid) -- cgit v1.2.3