[pmwiki-users] pmwiki-2.0.beta31 released

Patrick R. Michaud pmichaud at pobox.com
Fri Apr 15 15:14:37 CDT 2005


Ooops, I forgot to write the details about how to secure the uploads/
directory!

On Fri, Apr 15, 2005 at 02:56:21PM -0500, Patrick R. Michaud wrote:
> This provides some important features:
>   - it allows PmWiki to use site/group/page permissions to control
>     access to attachments

Of course, in addition to $EnableDirectDownload=0; we also have
to tell the webserver to block requests that go directly to the
uploads/ directory.  There are several ways to do this:

Method 1:  Move uploads/ out of the web directory hierarchy.  This
is probably one of the easiest and most secure mechanisms -- simply
move uploads/ somewhere outside of the html/ or public_html/ area,
and then set $UploadDirFmt to the location of this new directory.

Method 2:  If your server is running Apache, you may be able to 
block access to uploads/ via a .htaccess file containing
    
    Order Deny,Allow
    Deny from all

There are copies of this file available in local/ and wiki.d/ that can
be simply copied into uploads/ .  This allows the admin to keep the
uploads/ directory in the same location as the other PmWiki files.

Method 3:  Configure the webserver to block all requests to files
in the uploads/ directory.  For Apache this can be done by changing
httpd.conf; for other webservers consult its appropriate documentation. :-)

Pm



More information about the pmwiki-users mailing list