[Pmwiki-users] more thoughts on .htaccess
Patrick R. Michaud
Fri Dec 10 07:23:21 CST 2004
On Fri, Dec 10, 2004 at 11:46:08AM +0100, Joachim Durchholz wrote:
> "Arbitrary" in the sense of "for webservers in general".
> I wasn't aware that PmWiki has a file name policy in place - that
> removes quite a lot of potential security holes.
PmWiki places restrictions on:
- the characters allowed in filenames (alphanumeric + space, underscore,
hyphen, and dot; filename must begin with an alphanumeric char),
- the allowed filename extensions,
- the size of the upload (based on the filename's extension), and
- the total size of all files in the upload directories (i.e., quotas)
If any of these criteria aren't met, the uploaded file never makes
it into the uploads/ directory.
> I'm not sure whether the client has any say on the names of the uploaded
In general, the client can recommend a name, but the cgi-bin script
is free to ignore or modify it. In PmWiki's case, if the recommended
name doesn't meet the criteria above, the upload is discarded.
> The idea is that the uploads/ directory is a quarantine area. It
> contains files that have been accepted but not yet been checked for
> conformance with whatever policy the site imposes on uploads, and/or not
> yet properly integrated into the site itself.
> There may be a confusion of terminology at work here. I took "uploads/"
> to be the directory into which uploaded files are immediately stored. If
> the uploads go into e.g. /tmp/ first, then /tmp/ can serve as quarantine
> area (and probably does).
Yup, you're misreading how PmWiki does uploads.
PHP's model is that uploaded files are placed into a quarantine (usually
/tmp) with a filename of random (safe) characters, and then it's up
to the PHP script to move or otherwise process the uploaded file as
appropriate. In PmWiki's case, PmWiki defines an $UploadVerifyFunction
that makes the checks listed above before actually moving the file
into uploads/. And the verify function is pluggable so that
additional policies (e.g., virus or content scanning) could be
instituted if an admin wishes.
> For example, a site might:
> * want to run a virus scanner over uploaded contents
> * check that files don't start with a shebang line
> (e.g. if the site has binfmt_misc in place)
> * apply size limits (no uploads in excess of 50 KB)
> (I know this can be enforced via Apache, but the Apache limit may
> be over-general, e.g. we might want to restrict text files to 50K
> and images to 1MB)
> * check file names (first letter not a dot, no executable extensions
> such as .php or .shtml)
The last two are already handled by PmWiki's default verification
function; the first two can be added via a custom function.
More information about the pmwiki-users