[pmwiki-users] Re: Request for changing the default upload policy
Patrick R. Michaud
pmichaud at pobox.com
Thu Dec 29 10:46:40 CST 2005
On Wed, Dec 28, 2005 at 07:18:55PM +0100, Mikael Nilsson wrote:
> ons 2005-12-28 klockan 11:55 -0600 skrev Patrick R. Michaud:
> > Another possibility is to simply create scripts/secure.php, and
> > then someone wanting high security can do:
> >
> > include_once('scripts/secure.php');
> >
> > Then we can stay with just a single sample-config.php file,
> > and the sample include line can go at or near the top of the
> > script (with appropriate explanation of what to do with it).
>
> The major problem with this is that it's not really a pure add-on, but
> it *modifies* the settings of a number of configuration variables. So
> unless you *don't* set these variables later in config.php, this
> actually does nothing.
I'm afraid I don't see the problem here. With a scripts/secure.php
script, a site's config file ends up looking like:
<?php if (!defined('PmWiki')) exit();
include_once("$FarmD/scripts/secure.php");
# Other configuration settings go here...
Essentially, secure.php will set variables to default to higher
security, just as if they had been originally set that way by PmWiki.
The config.php file can of course then override a setting made
by secure.php, but that's entirely up to the admin.
The other big advantage of this approach is that admins don't have
to review the contents of sample-secure.php with each upgrade and
fold changes into their config.php -- they automatically get any
new security settings as part of the upgrade.
> Shipping an additional sample config has the advantage that it's 100%
> clear what happens.
I don't see that using a separate secure.php script makes it
any less clear; one can just as easily read scripts/secure.php
as they can a sample-secure.php file (assuming both are well
commented). And if someone doesn't want to do the include,
there's no problem with simply copying the contents of
scripts/secure.php into local/config.php and then modifying it
there.
Pm
More information about the pmwiki-users
mailing list