aboutsummaryrefslogtreecommitdiff
path: root/doc/todo/enable-htaccess-files.mdwn
blob: 3b9721d50aac5a95dacd7b1d89f9741c8917e3d9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
    Index: IkiWiki.pm
    ===================================================================
    --- IkiWiki.pm  (revision 2981)
    +++ IkiWiki.pm  (working copy)
    @@ -26,7 +26,7 @@
     memoize("file_pruned");
     
     sub defaultconfig () {
    -       wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
    +       wiki_file_prune_regexps => [qr/\.\./, qr/^\.(?!htaccess)/, qr/\/\.(?!htaccess)/,
                    qr/\.x?html?$/, qr/\.ikiwiki-new$/,
                    qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
           wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,

> Note that the above patch is **completely broken**. 
> It removes the crucial excludes of all files starting with a dot.
> The negative regexps for htaccess have no effect, so the whole
> thing only "works" because it allows *any* file starting with a dot.
> If you applied this patch to your ikiwiki, you opened a huge security
> hole. --[[Joey]] 

[[!tag patch patch/core]]

This lets the site administrator have a `.htaccess` file in their underlay
directory, say, then get it copied over when the wiki is built. Without
this, installations that are located at the root of a domain don't get the
benefit of `.htaccess` such as improved directory listings, IP blocking,
URL rewriting, authorisation, etc. 

> I'm concerned about security ramifications of this patch. While ikiwiki
> won't allow editing such a .htaccess file in the web interface, it would
> be possible for a user who has svn commit access to the wiki to use it to
> add a .htaccess file that does $EVIL.
> 
> Perhaps this should be something that is configurable via the setup file
> instead. --[[Joey]]

> See 

---

Hi, I would like to have my htaccess files in svn repository so ikiwiki would export that file to my webspace with every commit.

That way I have revision control on that file too. That may be a security concern, but I trust everybody that has svn commit
access and such .htaccess files should not be accessible through wiki cgi. Of course, it could default to 'off'.

> See [[!debbug 447267]] for a patch for this.

>> It looks to me as though this functionality won't be included in ikiwiki
>> unless someone who wants it takes responsibility for updating the patch
>> from that Debian bug to be applicable to current versions, so that there's a
>> setup file parameter for extra filenames to allow, defaulting to none
>> (i.e. a less simplistic patch than the one at the top of this page).
>> Joey, is this an accurate summary? --[[smcv]]

---

bump! I would like to see some form of this functionality included in ikiwiki. I use a patched version, but
its a bit of a PITA to constantly apply it (and to forget sometimes!). I know that security concern is important to consider,
but I use ikiwiki with a very small group of people collaborating so svn/web access is under control
and htaccess is for limiting access to some areas of wiki.   
It should be off by default of course. --Max

---
+1 I want `.htaccess` so I can rewrite some old Wordpress URLs to make feeds work again. --[[hendry]]

> Unless you cannot modify apache's configuration, you do not need htaccess
> to do that. Apache's documentation recommends against using htaccess
> unless you're a user who cannot modify the main server configuration.
> --[[Joey]] 

---
+1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]

> I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]]

---

[[done]], you can use the `include` setting to override the default
excludes now. Please use extreme caution when doing so. --[[Joey]]