2007-03-17 01:59:18 +01:00
|
|
|
Index: IkiWiki.pm
|
|
|
|
===================================================================
|
|
|
|
--- IkiWiki.pm (revision 2981)
|
|
|
|
+++ IkiWiki.pm (working copy)
|
|
|
|
@@ -26,7 +26,7 @@
|
|
|
|
memoize("file_pruned");
|
|
|
|
|
2008-12-17 21:22:16 +01:00
|
|
|
sub defaultconfig () {
|
2007-03-17 01:59:18 +01:00
|
|
|
- wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
|
|
|
|
+ wiki_file_prune_regexps => [qr/\.\./, qr/^\.(?!htaccess)/, qr/\/\.(?!htaccess)/,
|
|
|
|
qr/\.x?html?$/, qr/\.ikiwiki-new$/,
|
|
|
|
qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
|
|
|
|
wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,
|
|
|
|
|
2010-03-14 20:08:41 +01:00
|
|
|
> Note that the above patch is **completely broken**.
|
|
|
|
> It removes the crucial excludes of all files starting with a dot.
|
|
|
|
> The negative regexps for htaccess have no effect, so the whole
|
|
|
|
> thing only "works" because it allows *any* file starting with a dot.
|
|
|
|
> If you applied this patch to your ikiwiki, you opened a huge security
|
|
|
|
> hole. --[[Joey]]
|
|
|
|
|
2009-07-18 14:06:04 +02:00
|
|
|
[[!tag patch patch/core]]
|
2007-03-17 01:59:18 +01:00
|
|
|
|
2007-03-18 23:27:09 +01:00
|
|
|
This lets the site administrator have a `.htaccess` file in their underlay
|
|
|
|
directory, say, then get it copied over when the wiki is built. Without
|
|
|
|
this, installations that are located at the root of a domain don't get the
|
|
|
|
benefit of `.htaccess` such as improved directory listings, IP blocking,
|
|
|
|
URL rewriting, authorisation, etc.
|
|
|
|
|
|
|
|
> I'm concerned about security ramifications of this patch. While ikiwiki
|
|
|
|
> won't allow editing such a .htaccess file in the web interface, it would
|
|
|
|
> be possible for a user who has svn commit access to the wiki to use it to
|
|
|
|
> add a .htaccess file that does $EVIL.
|
|
|
|
>
|
|
|
|
> Perhaps this should be something that is configurable via the setup file
|
|
|
|
> instead. --[[Joey]]
|
2007-10-25 01:13:12 +02:00
|
|
|
|
|
|
|
> See
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
Hi, I would like to have my htaccess files in svn repository so ikiwiki would export that file to my webspace with every commit.
|
|
|
|
|
|
|
|
That way I have revision control on that file too. That may be a security concern, but I trust everybody that has svn commit
|
|
|
|
access and such .htaccess files should not be accessible through wiki cgi. Of course, it could default to 'off'.
|
|
|
|
|
2008-07-21 13:31:33 +02:00
|
|
|
> See [[!debbug 447267]] for a patch for this.
|
2007-10-25 01:13:12 +02:00
|
|
|
|
2009-07-18 14:08:13 +02:00
|
|
|
>> It looks to me as though this functionality won't be included in ikiwiki
|
|
|
|
>> unless someone who wants it takes responsibility for updating the patch
|
|
|
|
>> from that Debian bug to be applicable to current versions, so that there's a
|
|
|
|
>> setup file parameter for extra filenames to allow, defaulting to none
|
|
|
|
>> (i.e. a less simplistic patch than the one at the top of this page).
|
|
|
|
>> Joey, is this an accurate summary? --[[smcv]]
|
|
|
|
|
2008-01-08 19:27:18 +01:00
|
|
|
---
|
|
|
|
|
2008-01-08 19:28:57 +01:00
|
|
|
bump! I would like to see some form of this functionality included in ikiwiki. I use a patched version, but
|
|
|
|
its a bit of a PITA to constantly apply it (and to forget sometimes!). I know that security concern is important to consider,
|
|
|
|
but I use ikiwiki with a very small group of people collaborating so svn/web access is under control
|
|
|
|
and htaccess is for limiting access to some areas of wiki.
|
2008-01-08 19:27:18 +01:00
|
|
|
It should be off by default of course. --Max
|
|
|
|
|
2009-06-23 15:13:35 +02:00
|
|
|
---
|
|
|
|
+1 I want `.htaccess` so I can rewrite some old Wordpress URLs to make feeds work again. --[[hendry]]
|
|
|
|
|
2010-03-14 20:12:59 +01:00
|
|
|
> Unless you cannot modify apache's configuration, you do not need htaccess
|
|
|
|
> to do that. Apache's documentation recommends against using htaccess
|
|
|
|
> unless you're a user who cannot modify the main server configuration.
|
|
|
|
> --[[Joey]]
|
|
|
|
|
2009-06-23 18:18:15 +02:00
|
|
|
---
|
|
|
|
+1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]
|
2009-10-14 02:56:29 +02:00
|
|
|
|
|
|
|
> I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]]
|
2010-03-14 19:58:13 +01:00
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
[[done]], you can use the `include` setting to override the default
|
|
|
|
excludes now. Please use extreme caution when doing so. --[[Joey]]
|