summaryrefslogtreecommitdiff
path: root/doc/patchqueue/enable-htaccess-files.mdwn
blob: ed968b195101184e7ad608dc49a34320bcc6f317 (plain)
Index: IkiWiki.pm
===================================================================
--- IkiWiki.pm  (revision 2981)
+++ IkiWiki.pm  (working copy)
@@ -26,7 +26,7 @@
 memoize("file_pruned");
 
 sub defaultconfig () { #{{{
-       wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
+       wiki_file_prune_regexps => [qr/\.\./, qr/^\.(?!htaccess)/, qr/\/\.(?!htaccess)/,
                qr/\.x?html?$/, qr/\.ikiwiki-new$/,
                qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
       wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,

This lets the site administrator have a .htaccess file in their underlay directory, say, then get it copied over when the wiki is built. Without this, installations that are located at the root of a domain don't get the benefit of .htaccess such as improved directory listings, IP blocking, URL rewriting, authorisation, etc.

I'm concerned about security ramifications of this patch. While ikiwiki won't allow editing such a .htaccess file in the web interface, it would be possible for a user who has svn commit access to the wiki to use it to add a .htaccess file that does $EVIL.

Perhaps this should be something that is configurable via the setup file instead. --[[Joey]]