[pmwiki-users] Protection of attachments!?!

Mikael Nilsson mini at nada.kth.se
Wed Nov 30 10:51:02 CST 2005

ons 2005-11-30 klockan 07:41 -0600 skrev Patrick R. Michaud:
> On Wed, Nov 30, 2005 at 02:16:39PM +0100, Mikael Nilsson wrote:
> > Sorry for the spam, here's the solution:
> > 
> > http://www.pmwiki.org/wiki/Cookbook/SecureAttachments
> It's also mentioned on the PmWiki.UploadsAdmin page, in the section
> "Password protecting uploaded files".  But perhaps the description
> needs improvement (feel free to improve it).

Actually I think the documentation is adequate, I was just somehow
blind. However, I'm thinking that maybe pmwiki should try to proceed
down the "secure by default" route?

It's starting to get a but frustrating to try to hunt down possible
"holes". A friend of mine has had the same experience that you never
really know if there are gaping holes left... The default settings for
passwords is very confusing, as some pages and groups override the
site-wide settings, for no *obvious* reason.

At the very least, it should be documented very clearly what steps are
needed to lock down an installation:

* Provide passwords etc. in config.php
* Check all GroupAttribute pages so that they do not improperly override
this (They do out of the box).
* Check at least Site.SideBar
* Secure attachments.
* Maybe more that I have missed? Please add!

Please tell me where in the wiki this information should be added and
I'll give it a try, unless you plan to fix it in another way.


Plus ça change, plus c'est la même chose

More information about the pmwiki-users mailing list