[pmwiki-users] Fwd: uploads security vs PmWikiDraw

Ciaran ciaranj at gmail.com
Thu May 3 02:09:46 CDT 2007


On 5/2/07, Tegan Dowling <tmdowling at gmail.com> wrote:
>
> On 5/2/07, Ciaran <ciaranj at gmail.com> wrote:
> > On 5/2/07, Tegan Dowling <tmdowling at gmail.com> wrote:
> >
> > > On 5/2/07, Ciaran <ciaranj at gmail.com> wrote:
> > > >
> > > > On 4/30/07, Tegan Dowling <tmdowling at gmail.com> wrote:
> > > > >
> > > > >  Bump ... PM?  Anyone?
> > > > >
> > > > >
> > > > > ---------- Forwarded message ----------
> > > > > From: Tegan Dowling < tmdowling at gmail.com>
> > > > >  Date: Apr 28, 2007 4:05 PM
> > > > > Subject: uploads security vs PmWikiDraw
> > > > > To: PmWiki Users <pmwiki-users at pmichaud.com >
> > > > >
> > > > > I typically secure uploads to my wikis by using the method,
> described
> > on the page
> > http://www.pmwiki.org/wiki/Cookbook/SecureAttachments,
> > which uses an .htaccess file in the uploads/ directory, with the
> following
> > two lines:
> > > > >       Order Deny,Allow
> > > > >       Deny from all
> > > > >
> > > > > and then the following in local/config.php:
> > > > >         $EnableDirectDownload = 0;
> > > > >
> > > > >
> > > > > I find this conflicts with the use of the (wonderful!) PmWikiDraw
> > recipe.   http://www.pmwiki.org/wiki/Cookbook/PmWikiDraw.
> > > > >
> > > > > When I create a drawing
> > > > > (named "drawingname" on a page in the wikigroup
> > http://www.myaddress.com/uploads/ExampleGroupname),
> > > > > the java drawing applet displays a warning:
> > > > > Error:java.io.IOException:Server returned HTTP response code: 403
> for
> > URL:
> > http://www.myaddress.com/uploads/ExampleGroupname/drawingname.draw
> > > > >
> > > > > And although I can create the drawing, and it does save and upload
> > successfully, it won't display the image -- I guess because the recipe
> > doesn't use the display syntax ?action=download&upname= file.ext ?
> > > > >
> > > > > If I change local/config.php: to
> > > > >          $EnableDirectDownload = 1;
> > > > >
> > > > > and I remove the .htaccess file from the uploads/ directory, then
> the
> > PmWikiDraw works ok.
> > > > >
> > > > > SO is there some way that I can have both?  Could I make
> > $EnableDirectDownload = 1; conditional on the wikigroup I'm working in,
> AND
> > somehow get the .htaccess file to be ignored there as well?
> > > > >
> > > > > Ideas?
> > > >
> > > > Eek! do you know if this directdownload option is newish, as I
> wasn't
> > aware of it when I
> > > > wrote the pmwikidraw scripts originally.  FWIW we're currently in
> the
> > process of re-writing
> > > > PmWikiDraw as a far more advanced AnyWikiDraw tool, with an intended
> > PmWiki variant
> > > > so it has to an extent been forgotten about [we intend to support
> the
> > original format at
> > > > least for initial loading of drawings!]
> > > >  - ciaran
> > >
> > > Hi!  The PmWikiDraw tool is so terrific, I would love to be able to
> > > enable it on all my wikis!
> >
> > Well soon you should be able, to, plus with versioning, svg support, and
> > much much more ;)
> >
> > > The "$EnableDirectDownload = 0;" security option is not new, but it's
> > > not the default configuration, either (although it is for my wikis).
> >
> > I'd not come across it before  !
> >
> > > If you look into how the option works, it seems to me that you may be
> > > able to adjust your PmWikiDraw code so that it works in this
> > > environment.  On these sites, attachments are displayed with
> > > "
> > http://address.com/Group/Page?action=download&upname=file.ext"
> > (as
> > > opposed to other configurations that display
> > > "http://address.com/uploads/Group/file.ext "
> >
> > Right, I've enabled a work-around I think,  please try the new version
> I've
> > put up on PmWiki.org for you !
> > Let me know how it goes :)
> > --
> > - Ciaran
>
> Hi, Ciaran:  Success! (mostly)
>
> I restored the downloads protection as I normally have it, and now I
> can create and edit PmWikiDraw files.  The only thing that's still odd
> is that the java app does display an error message across the bottom
> of its window when creating a new file.  The error doesn't prevent
> file creation, so it's not critical, but it is odd:
>
> When I create a drawing (named "drawingname" on a page in the
> wikigroup http://www.myaddress.com/uploads/ExampleGroupname),
> the java drawing applet displays a warning:
> Error:java.io.FileNotFoundException:



http://www.myaddress.com?n=ExampleGroupname.ExamplePagename&action=download&upname=drawingname.draw


Believe it or not, this is expected behaviour :)   When the Applet first
loads, it tries to download the drawing file , for rendering.  The first
time you "create a drawing" there isn't one there until the applet's first
save has completed :)

Thanks so much for this tool, and for your terrific responsiveness!


No worries, like I said keep an eye out for AnyWikiDraw  it should be coming
to a wiki near you fairly soonish <g>
 -Ciaran


Tegan
>



-- 
- Ciaran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20070503/0c95e537/attachment.html 


More information about the pmwiki-users mailing list