[pmwiki-users] Protect uploaded files from direct access?
Patrick R. Michaud
pmichaud at pobox.com
Tue Jun 5 09:06:36 CDT 2007
On Tue, Jun 05, 2007 at 03:58:27PM +0200, martin at kerz.org wrote:
> I'm looking for a (preferably automated) solution to completely
> protect uploaded files from external access. If I upload a file
> whithin a group that is protected with a password, the file still can
> be accessed externally using the direct path, i.e.
> http://yourhost/pmwiki/uploads/Secretgroup/file.ext
>
> Setting $EnableDirectDownload=0 does only restrict the access from
> within the wiki.
>
> A friend of mine suggested to control the access to the subfolder
> using a .htaccess file. Is there a solution based on that method that
> is known to work?
>
> Moreover, I would love to have an automated protection. Is there a
> recipe for pmwiki to restrict direct acces to uploaded files?
Try copying the .htaccess file from your wiki.d/ directory into
the uploads/ directory. It should read
Order Deny,Allow
Deny from all
This tells the webserver to deny all direct access to files in the
uploads/ directory. Since PmWiki doesn't use the webserver to
access the files in uploads/, it will still be able to respond to
?action=download requests (after checking authorizations).
Another possibility is to move uploads/ somewhere completely outside
of the webserver tree, and use $UploadDir to point to this new location:
$UploadDir = '/path/to/uploads';
Pm
More information about the pmwiki-users
mailing list