[pmwiki-users] Please challenge me: Script idea
Kathryn Andersen
kat_lists at katspace.homelinux.org
Thu Oct 5 06:10:27 CDT 2006
On Thu, Oct 05, 2006 at 12:31:57PM +0200, Mike wrote:
> However, it gets problematic as soon as we talk about private, i.e.
> password protected galleries. Simple reason: the script creates HTML
> image tags and therefore requires the images to be in a publicly
> accessible folder. Any user who knows or can guess an image name/path
> can view the images, even if the gallery itself is password-protected
> from within the wiki.
> 2) Protect the pictures directory with a .htaccess file, and then find a
> way to make sure that the image remains readable as long as it's called
> from the PmWiki script, e.g. by providing username/password as part of
> the URL. If that is possible at all, but I think there might be a way in
> the form <img src="user:pass at http://domain.com/pictures/party/*.jpg" />
> Disadvantages:
> - username and password for the directory are part of the image link -
> possible security issues
> - clumsy to deal with - have to administer both Apache directory
> passwords and PmWiki group/page passwords
There are other things that you could do with Apache config that
wouldn't require sending a user+password in the clear.
(a) Check the referrer in Apache, and disallow access to the private
image directory if it doesn't come from the appropriate protected PmWiki
URL. It would be a more specialized version of the technique described
here: http://www.serverwatch.com/tutorials/article.php/1132731
This has disadvantages in that it is possible to fake the HTTP_REFERER
info, but people would have to know what URL to fake first.
(b) Use Apache Basic Authentication to access your wiki (one can set up
PmWiki to recognise this) and password-protect that private image
directory with the same user-access as the wiki.
This has disadvantages in that Apache BA doesn't allow one to log out,
and also rather pointless if you already have users who have
non-.htpasswd logins.
Kathryn Andersen
--
_--_|\ | Kathryn Andersen <http://www.katspace.com>
/ \ |
\_.--.*/ | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/>
v |
------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere
Maranatha! | -> Earth -> Sol -> Milky Way Galaxy -> Universe
More information about the pmwiki-users
mailing list