[pmwiki-users] Security of attachments
nk at knappi.org
Thu Oct 5 02:25:49 CDT 2006
> while most of my wiki is readable to the public, there are a few
> selected pages to which only selected people with the right password
> should have access. On these pages, I want to show pictures, which of
> course are just as sensitive and should not be visible to people without
> The problem is that both approaches I tried are not secure:
> * If the image is a PmWiki attachment, then this means that it resides
> in the PmWiki directory and can be viewed by anyone who knows the image
> * If the image is outside the web tree and shown via a script like e.g.
> phpThumb, then the user is free to call phpThumb himself to see the
> image - again, he only has to know/guess the password and call phpThumb.
set $EnableDirectDownload = 0; in your config.php. This will
modify the links to uploaded files to look like
which means that pmwiki itself is accessed to download the file.
As far as I know, it also performs password verifications, although
I don't know if it looks for the page-password or the group-password.
You can prevent people from downloading the upload-files directly, by
putting a .htaccess with th following lines into the uploads-directory:
Deny from all
More information about the pmwiki-users