[pmwiki-users] Enhancing "attach file" upload & general PmWiki security

tamouse mailing lists tamouse.lists at gmail.com
Sat May 5 16:29:31 CDT 2012

On Sat, May 5, 2012 at 1:27 PM, ABClf <languefrancaise at gmail.com> wrote:
> Maybe this way, if you have little data to scan and little activity :
> 1. use some tool to monitor the pmwiki upload directory and mirror it
> automatically on your own computer
> 2. scan your local mirror.
> Gilles.
> 2012/5/5 Al Louis Ripskis <ripskis at sprynet.com>:
>> May 4, 2012 11:32 PM tamouse wrote:
>>>Are you implementing your wiki on your personal computer or on a
>>>hosted web site? AVG runs on your (windows) personal computer, not
>>>your remotely hosted web site.
>> Yes, the wiki is on a hosted web site and the AVG runs on my Windows personal computer.
>> What I would like to find is whether there is a way to set up my personal computer so that when I go to my website, my AVG (that runs on my personal computer) will also automatically scan any new uploads on my hosted wiki.
>> Thanks,
>> Al


Well, you *can* do something like Gilles suggests. I'm not sure it
would be worth it, though. Consider: to make this work, you will have
to download the attachment to your local Windows box, somehow figure
out how to run AVG on it, then deal with the results somehow. If you
are comfortable writing scripts and such, then this should prove to be
too much of a problem. If not, and you want this, then it's time to
learn! :)

The first part, downloading, could be somewhat automated, basically
doing something like acquiring rsync (provided you have ssh access to
your server) or wget (if you only have ftp/http access) or lftp (if
only ftp access) for windows and running it periodically to mirror
your uploads directory to your local disk. Chances are, you have a ton
more disk space available locally on your Windows box than you do on
your web hosting, so this shouldn't be that much of a problem. The
question becomes your bandwidth utilisation, mainly, and timing.
Hopefully you are behind a fast broadband connection.

The second part, passing the files through AVG I have no knowledge of
as I don't use Windows or AVG. Someone else can probably help. Check
for something like a "watch" folder -- a special folder that AVG
watches to see if new content is placed in it -- if so, you should be
able to download the attachments from the wiki into that folder. But
again, I'm guessing here as I don't know AVG. Then you need some way
of AVG notifying you if it encounters a malfile.

The last part is where you need to make a decision. If a file trips
AVG's malware flags, then you'll most likely want to delete that file
(or move it to quarantine, possibly). This means you will have to keep
track of AVG's output to ensure prompt removal/quarantine of the file.

The main issue I see with this is timing. If a mal file gets up on
your server, that means it's immediately available for people to
download. The scheme above has a built-in delay, which varies
depending upon the degree to which each step can be automated. If you
have a popular site, with potentially popular uploads, this could be a
real problem.

The best thing is to prevent such files from being uploaded into the
wiki at all. Typically, this protection is enabled by setting a
password for uploading and only giving that password to known trusted
users. However, if you want to leave your wiki open for anyone to
upload, perhaps there is a another way to afford protection, but it
may not be stock PmWiki.

A quick look through the Cookbook doesn't reveal anything immediately,
but what springs to mind is a combination of modifying [URL
Approvals](http://www.pmwiki.org/wiki/PmWiki/UrlApprovals) in order to
work with attached files instead of links and [Secure
Attachments](http://www.pmwiki.org/wiki/Cookbook/SecureAttachments) to
prevent direct access to uploaded content.

More information about the pmwiki-users mailing list