[pmwiki-users] Security of attachments

Nils Knappmeier nk at knappi.org
Thu Oct 5 02:25:49 CDT 2006


Mike wrote:
> Hello,
>
> while most of my wiki is readable to the public, there are a few
> selected pages to which only selected people with the right password
> should have access. On these pages, I want to show pictures, which of
> course are just as sensitive and should not be visible to people without
> password.
>
> The problem is that both approaches I tried are not secure:
> * If the image is a PmWiki attachment, then this means that it resides
> in the PmWiki directory and can be viewed by anyone who knows the image
> path.
>
> * If the image is outside the web tree and shown via a script like e.g.
> phpThumb, then the user is free to call phpThumb himself to see the
> image - again, he only has to know/guess the password and call phpThumb.
Hi Mike,

set $EnableDirectDownload = 0; in your config.php. This will
modify the links to uploaded files to look like

http://www.knappi.org/v2/index.php/Main/History?action=download&upname=onlinewahl.png

which means that pmwiki itself is accessed to download the file.
As far as I know, it also performs password verifications, although
I don't know if it looks for the page-password or the group-password.

You can prevent people from downloading the upload-files directly, by
putting a .htaccess with th following lines into the uploads-directory:

-----<snip>-----
Order Deny,Allow
Deny from all
-----</snip>----


Nils








More information about the pmwiki-users mailing list