[pmwiki-users] pmwiki-2.0.beta31 released
Patrick R. Michaud
pmichaud at pobox.com
Fri Apr 15 15:14:37 CDT 2005
Ooops, I forgot to write the details about how to secure the uploads/
directory!
On Fri, Apr 15, 2005 at 02:56:21PM -0500, Patrick R. Michaud wrote:
> This provides some important features:
> - it allows PmWiki to use site/group/page permissions to control
> access to attachments
Of course, in addition to $EnableDirectDownload=0; we also have
to tell the webserver to block requests that go directly to the
uploads/ directory. There are several ways to do this:
Method 1: Move uploads/ out of the web directory hierarchy. This
is probably one of the easiest and most secure mechanisms -- simply
move uploads/ somewhere outside of the html/ or public_html/ area,
and then set $UploadDirFmt to the location of this new directory.
Method 2: If your server is running Apache, you may be able to
block access to uploads/ via a .htaccess file containing
Order Deny,Allow
Deny from all
There are copies of this file available in local/ and wiki.d/ that can
be simply copied into uploads/ . This allows the admin to keep the
uploads/ directory in the same location as the other PmWiki files.
Method 3: Configure the webserver to block all requests to files
in the uploads/ directory. For Apache this can be done by changing
httpd.conf; for other webservers consult its appropriate documentation. :-)
Pm
More information about the pmwiki-users
mailing list