[pmwiki-users] Fwd: uploads security vs PmWikiDraw

Tegan Dowling tmdowling at gmail.com
Wed May 2 08:04:46 CDT 2007


On 5/2/07, Ciaran <ciaranj at gmail.com> wrote:
>
> On 4/30/07, Tegan Dowling <tmdowling at gmail.com> wrote:
> >
> >  Bump ... PM?  Anyone?
> >
> >
> > ---------- Forwarded message ----------
> > From: Tegan Dowling < tmdowling at gmail.com>
> >  Date: Apr 28, 2007 4:05 PM
> > Subject: uploads security vs PmWikiDraw
> > To: PmWiki Users <pmwiki-users at pmichaud.com >
> >
> > I typically secure uploads to my wikis by using the method, described on the page  http://www.pmwiki.org/wiki/Cookbook/SecureAttachments, which uses an .htaccess file in the uploads/ directory, with the following two lines:
> >       Order Deny,Allow
> >       Deny from all
> >
> > and then the following in local/config.php:
> >         $EnableDirectDownload = 0;
> >
> >
> > I find this conflicts with the use of the (wonderful!) PmWikiDraw recipe.  http://www.pmwiki.org/wiki/Cookbook/PmWikiDraw.
> >
> > When I create a drawing
> > (named "drawingname" on a page in the wikigroup   http://www.myaddress.com/uploads/ExampleGroupname),
> > the java drawing applet displays a warning:
> > Error:java.io.IOException:Server returned HTTP response code: 403 for URL:    http://www.myaddress.com/uploads/ExampleGroupname/drawingname.draw
> >
> > And although I can create the drawing, and it does save and upload successfully, it won't display the image -- I guess because the recipe doesn't use the display syntax ?action=download&upname= file.ext ?
> >
> > If I change local/config.php: to
> >          $EnableDirectDownload = 1;
> >
> > and I remove the .htaccess file from the uploads/ directory, then the PmWikiDraw works ok.
> >
> > SO is there some way that I can have both?  Could I make $EnableDirectDownload = 1; conditional on the wikigroup I'm working in, AND somehow get the .htaccess file to be ignored there as well?
> >
> > Ideas?
>
> Eek! do you know if this directdownload option is newish, as I wasn't aware of it when I
> wrote the pmwikidraw scripts originally.  FWIW we're currently in the process of re-writing
> PmWikiDraw as a far more advanced AnyWikiDraw tool, with an intended PmWiki variant
> so it has to an extent been forgotten about [we intend to support the original format at
> least for initial loading of drawings!]
>  - ciaran

Hi!  The PmWikiDraw tool is so terrific, I would love to be able to
enable it on all my wikis!

The "$EnableDirectDownload = 0;" security option is not new, but it's
not the default configuration, either (although it is for my wikis).

If you look into how the option works, it seems to me that you may be
able to adjust your PmWikiDraw code so that it works in this
environment.  On these sites, attachments are displayed with
"http://address.com/Group/Page?action=download&upname=file.ext" (as
opposed to other configurations that display
"http://address.com/uploads/Group/file.ext"

I've just been hoping to find a work-around that would let me revert
to the regular configuration on pages/groups where the PmWikiDraw is
either in use or enabled, and I'm sure I could switch to a setting of
$EnableDirectDownload = 1; for such pages/groups, but I don't know of
any way to get the wiki to disregard the .htaccess file in the uploads
directory when rendering attachments to those pages/groups.

Does anyone know of anything I could put in the .htaccess file itself,
that would get it ignored for certain pages or groups?



More information about the pmwiki-users mailing list