Recent Changes - Search:

Cookbook

PmWiki

pmwiki.org

WebServerSecurity

Summary: How to use ".htaccess" to make PmWiki more secure
Version:
Prerequisites:
Status:
Maintainer: NeilHerber

Question

How can I use ".htaccess" to make PmWiki more secure?

Answer

The Apache server (and other compatible web servers) can make use of per-directory ".htaccess" files to control access.

For PmWiki, there is a small but finite danger that scripts (configuration files) in the "local/" or "cookbook/" directories could be used to compromise your server. Most configuration files simply set values for variables and may include a few other scripts. But if a configuration file manipulates files or makes calls to the operating system (or includes another script that does).

Any risk from the configuration files can be virtually eliminated by making sure the beginning of the file reads...

   <?php if (!defined('PmWiki')) exit();

As an extra precaution, you may wish to include an ".htaccess" file in "local/" and "cookbook/". The file should read:

--- more text here ---

In the Apache 2 ".htaccess" tutorial (http://httpd.apache.org/docs-2.0/howto/htaccess.html) they suggest that to improve performance, all the configuration done using per-directory .htaccess files should be moved into the main httpd.conf file. However, if you do not have access to httpd.conf, the only choice you have is to use .htaccess. There is also some debate as to how much of a performance hit .htaccess processing creates.

.htaccess is dependant on correct setting of AllowOverride

Be very cautious with the use of .htaccess to implement your wiki security! If you use .htaccess rules to protect against unaithorized access of sensitive files in you wiki, make very sure the configuration of your Apache web server has allowed the use of .htaccess . In particular, make sure the web server configuration has the AllowOverride directive set to some other value than None .

When this directive is set to None, then .htaccess files are completely ignored. Probably some directories that shouldn't be accessible are publicly accessible by anonymous (not-logged-in) users!

There are some Linux distro's , for example Ubuntu, where the out-of-the-box configuration of Apache2 has set AllowOverride None for some or all directories that are publicly accessible through the web. In effect this renders all measures to protect your sensitive files by use of .htaccess useless! So be sure to change the default Apache configuration at least for your PmWiki directories like this:

<directory /home/paul/wiki/>
  AllowOverride Alle 
  ..
</directory> 

or at least like this:

<directory /home/paul/wiki/>
  AllowOverride FileInfo Limit
  ..
</directory> 
  • The directive Limit allows .htaccess to permit and prohibit access to directories using the "Allow", "Deny" and "Order" keywords.
  • The directive FileInfo allows .htaccess to rewrite the URL by keywords RewriteEngine, RewriteOptions, RewriteBase, RewriteCond, RewriteRule. These are necessary for implementing the Cookbook recipe CleanUrls.

2014-02-09 PaulWiegmans

Edit - History - Print - Recent Changes - Search
Page last modified on February 09, 2014, at 06:21 AM