summaryrefslogtreecommitdiff
path: root/doc/tips
diff options
context:
space:
mode:
authorJoey Hess <joey@gnu.kitenet.net>2010-03-14 14:58:13 -0400
committerJoey Hess <joey@gnu.kitenet.net>2010-03-14 14:58:13 -0400
commit823ec815d4fc9625d6fa3553ad03e9f2ff737659 (patch)
tree50900e409091975988df76257d6d1fe30f739d4a /doc/tips
parenta79c52337c1d42f18492caf0ba3da970874210c1 (diff)
Add a include setting, which can be used to make ikiwiki process wiki source files, such as .htaccess, that would normally be skipped for security or other reasons. Closes: #447267 (Thanks to Aaron Wilson for the original patch.)
Diffstat (limited to 'doc/tips')
-rw-r--r--doc/tips/htaccess_file.mdwn30
1 files changed, 30 insertions, 0 deletions
diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
new file mode 100644
index 000000000..5266eba41
--- /dev/null
+++ b/doc/tips/htaccess_file.mdwn
@@ -0,0 +1,30 @@
+If you try to include a `.htaccess` file in your wiki's source, in order to
+configure the web server, you'll find that ikiwiki excludes it from
+processing. In fact, ikiwiki excludes any file starting with a dot, as well
+as a lot of other files, for good security reasons.
+
+You can tell ikiwiki not to exclude the .htaccess file by adding this to
+your setup file:
+
+ include => '^\.htaccess$',
+
+Caution! Before you do that, please think for a minute about who can edit
+your wiki. Are attachment uploads enabled? Can users commit changes
+directly to the version control system? Do you trust everyone who can
+make a change to not do Bad Things with the htaccess file? Do you trust
+everyone who *might* be able to make a change in the future? Note that a
+determined attacker who can write to the htaccess file can probably get a
+shell on your web server.
+
+If any of these questions have given you pause, I suggest you find a
+different way to configure the web server. One way is to not put the
+`.htaccess` file under ikiwiki's control, and just manually install it
+in the destdir.
+
+[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
+says
+> In general, you should never use .htaccess files unless you don't have
+> access to the main server configuration file.
+This is good advice -- if you can edit apache's main configuration files,
+then you should not use a htaccess file.
+--[[Joey]]