summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-18 22:27:09 +0000
committerjoey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>2007-03-18 22:27:09 +0000
commit16112c32941a417c17ed5b2b6d503cd77ba1b8e3 (patch)
tree1554644f244b48f1b9aa51fa08ef52a66b3ea839
parentcb0c642aed71ec8af797e8c59c61f6ea882cf541 (diff)
response
-rw-r--r--debian/changelog2
-rw-r--r--doc/patchqueue/enable-htaccess-files.mdwn14
2 files changed, 14 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index 0d92b5175..26aaad53b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,7 +13,7 @@ ikiwiki (1.46) UNRELEASED; urgency=low
* Applied a patch from MichaƂ to make the mercurial backend pass --quiet to
hg.
- -- Joey Hess <joeyh@debian.org> Sat, 17 Mar 2007 19:56:04 -0400
+ -- Joey Hess <joeyh@debian.org> Sun, 18 Mar 2007 18:22:12 -0400
ikiwiki (1.45) unstable; urgency=low
diff --git a/doc/patchqueue/enable-htaccess-files.mdwn b/doc/patchqueue/enable-htaccess-files.mdwn
index cb034fadf..ed968b195 100644
--- a/doc/patchqueue/enable-htaccess-files.mdwn
+++ b/doc/patchqueue/enable-htaccess-files.mdwn
@@ -13,4 +13,16 @@
wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,
-This lets the site administrator have a `.htaccess` file in their underlay directory, say, then get it copied over when the wiki is built. Without this, installations that are located at the root of a domain don't get the benefit of `.htaccess` such as improved directory listings, IP blocking, URL rewriting, authorisation, etc. \ No newline at end of file
+This lets the site administrator have a `.htaccess` file in their underlay
+directory, say, then get it copied over when the wiki is built. Without
+this, installations that are located at the root of a domain don't get the
+benefit of `.htaccess` such as improved directory listings, IP blocking,
+URL rewriting, authorisation, etc.
+
+> I'm concerned about security ramifications of this patch. While ikiwiki
+> won't allow editing such a .htaccess file in the web interface, it would
+> be possible for a user who has svn commit access to the wiki to use it to
+> add a .htaccess file that does $EVIL.
+>
+> Perhaps this should be something that is configurable via the setup file
+> instead. --[[Joey]]