[Pmwiki-users] more thoughts on .htaccess

Patrick R. Michaud pmichaud
Fri Dec 10 07:23:21 CST 2004 

On Fri, Dec 10, 2004 at 11:46:08AM +0100, Joachim Durchholz wrote:
> 
> "Arbitrary" in the sense of "for webservers in general".
> I wasn't aware that PmWiki has a file name policy in place - that 
> removes quite a lot of potential security holes.

PmWiki places restrictions on:
  - the characters allowed in filenames (alphanumeric + space, underscore, 
    hyphen, and dot; filename must begin with an alphanumeric char),
  - the allowed filename extensions,
  - the size of the upload (based on the filename's extension), and
  - the total size of all files in the upload directories (i.e., quotas)

If any of these criteria aren't met, the uploaded file never makes 
it into the uploads/ directory.

> I'm not sure whether the client has any say on the names of the uploaded 
> files. 

In general, the client can recommend a name, but the cgi-bin script
is free to ignore or modify it.  In PmWiki's case, if the recommended
name doesn't meet the criteria above, the upload is discarded.

> The idea is that the uploads/ directory is a quarantine area. It 
> contains files that have been accepted but not yet been checked for 
> conformance with whatever policy the site imposes on uploads, and/or not 
> yet properly integrated into the site itself.
> [...]
> There may be a confusion of terminology at work here. I took "uploads/" 
> to be the directory into which uploaded files are immediately stored. If 
> the uploads go into e.g. /tmp/ first, then /tmp/ can serve as quarantine 
> area (and probably does).

Yup, you're misreading how PmWiki does uploads.

PHP's model is that uploaded files are placed into a quarantine (usually
/tmp) with a filename of random (safe) characters, and then it's up 
to the PHP script to move or otherwise process the uploaded file as 
appropriate.  In PmWiki's case, PmWiki defines an $UploadVerifyFunction 
that makes the checks listed above before actually moving the file
into uploads/.  And the verify function is pluggable so that
additional policies (e.g., virus or content scanning) could be
instituted if an admin wishes.

> For example, a site might:
> * want to run a virus scanner over uploaded contents
> * check that files don't start with a shebang line
>   (e.g. if the site has binfmt_misc in place)
> * apply size limits (no uploads in excess of 50 KB)
>   (I know this can be enforced via Apache, but the Apache limit may
>   be over-general, e.g. we might want to restrict text files to 50K
>   and images to 1MB)
> * check file names (first letter not a dot, no executable extensions
>   such as .php or .shtml)

The last two are already handled by PmWiki's default verification
function; the first two can be added via a custom function.

Pm

More information about the pmwiki-users mailing list