[pmwiki-users] Request for changing the default upload policy

Mikael Nilsson mini at nada.kth.se
Wed Dec 21 10:39:40 CST 2005


Hi!

After having gone through the process of trying to secure my wiki, or at
least parts of it, I'd like to request a change in default settings for
uploads to be per-page, and not per-group.

Background: Initially, all uploads are unauthenticated and served by
your webserver. First step in securing pmwiki is to fix that by setting
$EnableDirectDownload = 0;

This step is already easy to miss. 

Now things look better, and you might think you're secure. However, if
you password-protect one page in a group, upload something to that page,
that attachment is available through any other page in that group. So
the authentication options for an attachment is determined by the union
of all passwords etc. for the whole group, i.e., you only need access to
a single page in the group in order to access all attachments in the
group.

Some would call that a security hole. I say it makes sense in the
default, open, pmwiki setup, but fails miserably if you try to secure
the site and forget to think about that... 

This is not only a question for admins, either. Regular users would
probably expect that password protection protects attachments as well.

So, my suggestion would be to use the following as default for pmwiki:

$EnableDirectDownload = 0;
$UploadPrefixFmt = '/$FullName';

Pros: Makes it more difficult to introduce security holes. Users still
have the option to change the behavior to the current if there are
problems.
Cons: May be a bit slower on a busy site (though I haven't really seen
any problems), and makes it more a tiny bit more awkward to link to
attachments not on the same page.

So the questions are: 
1. Is the performance issue real/common?
2. is it very common to use attachments on more than one page?

My guess is no, no. But I might be wrong.

Opinions?

/Mikael

I tried to password-protect 
-- 
Plus ça change, plus c'est la même chose





More information about the pmwiki-users mailing list