[pmwiki-users] Moving PmWiki session out of /tmp
Joachim Durchholz
jo at durchholz.org
Mon Nov 28 02:39:21 CST 2005
Ben Wilson schrieb:
> Now to see if somehow the hacker finds access
> to that directory. :-)
Disallow WWW access to that directory.
I don't know how to do that with IIS (I think it's something with the
directory's properties), but it's easy in Apache: create a .htaccess
file with
Order allow,deny
Allow from none
Deny from all
in it and place it in the session directory. Apache will then refuse to
serve files from the directory.
(PHP accesses the files directly, so it isn't affected by .htaccess.)
I usually put session directories in the installation directory of
whatever PHP package I install. Placing writable directories in the WWW
root defies all filesystem standards, but it does have the advantage
that it shares all the security of the PmWiki installation. We can also
hope that PHP is written well enough to avoid filename clashes and file
creation races (placing all temporaries in /tmp tends to make them
vulnerable to third-party, less-well-written software).
Regards,
Jo
More information about the pmwiki-users
mailing list