Index: IkiWiki.pm
===================================================================
--- IkiWiki.pm (revision 2981)
+++ IkiWiki.pm (working copy)
@@ -26,7 +26,7 @@
memoize("file_pruned");
sub defaultconfig () {
- wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
+ wiki_file_prune_regexps => [qr/\.\./, qr/^\.(?!htaccess)/, qr/\/\.(?!htaccess)/,
qr/\.x?html?$/, qr/\.ikiwiki-new$/,
qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,
Note that the above patch is completely broken.
It removes the crucial excludes of all files starting with a dot.
The negative regexps for htaccess have no effect, so the whole
thing only "works" because it allows any file starting with a dot.
If you applied this patch to your ikiwiki, you opened a huge security
hole. --[[Joey]]
[[!tag patch patch/core]]
This lets the site administrator have a .htaccess
file in their underlay
directory, say, then get it copied over when the wiki is built. Without
this, installations that are located at the root of a domain don't get the
benefit of .htaccess
such as improved directory listings, IP blocking,
URL rewriting, authorisation, etc.
I'm concerned about security ramifications of this patch. While ikiwiki
won't allow editing such a .htaccess file in the web interface, it would
be possible for a user who has svn commit access to the wiki to use it to
add a .htaccess file that does $EVIL.
Perhaps this should be something that is configurable via the setup file
instead. --[[Joey]]
See
Hi, I would like to have my htaccess files in svn repository so ikiwiki would export that file to my webspace with every commit.
That way I have revision control on that file too. That may be a security concern, but I trust everybody that has svn commit
access and such .htaccess files should not be accessible through wiki cgi. Of course, it could default to 'off'.
See [[!debbug 447267]] for a patch for this.
It looks to me as though this functionality won't be included in ikiwiki
unless someone who wants it takes responsibility for updating the patch
from that Debian bug to be applicable to current versions, so that there's a
setup file parameter for extra filenames to allow, defaulting to none
(i.e. a less simplistic patch than the one at the top of this page).
Joey, is this an accurate summary? --[[smcv]]
bump! I would like to see some form of this functionality included in ikiwiki. I use a patched version, but
its a bit of a PITA to constantly apply it (and to forget sometimes!). I know that security concern is important to consider,
but I use ikiwiki with a very small group of people collaborating so svn/web access is under control
and htaccess is for limiting access to some areas of wiki.
It should be off by default of course. --Max
+1 I want .htaccess
so I can rewrite some old Wordpress URLs to make feeds work again. --[[hendry]]
Unless you cannot modify apache's configuration, you do not need htaccess
to do that. Apache's documentation recommends against using htaccess
unless you're a user who cannot modify the main server configuration.
--[[Joey]]
+1 for various purposes (but sometimes the filename isn't .htaccess
, so please make it configurable) --[[schmonz]]
I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]]
[[done]], you can use the include
setting to override the default
excludes now. Please use extreme caution when doing so. --[[Joey]]