How can I use ".htaccess" to make PmWiki more secure?
The Apache server (and other compatible web servers) can make use of per-directory ".htaccess" files to control access.
For PmWiki, there is a small but finite danger that scripts (configuration files) in the "local/" or "cookbook/" directories could be used to compromise your server. Most configuration files simply set values for variables and may include a few other scripts. But if a configuration file manipulates files or makes calls to the operating system (or includes another script that does).
Any risk from the configuration files can be virtually eliminated by making sure the beginning of the file reads...
<?php if (!defined('PmWiki')) exit();
As an extra precaution, PmWiki comes with special ".htaccess" files in the "local/" and "cookbook/" directories, that prevent access to these directories with a browser. In case of a WikiFarm, you should add such a file in the local/ directory of every field. They should read:
# .htaccess - Apache fileserver configuration file # This file is in the directory to prevent the directory's # contents from being accessed directly by browsers # (this is a potential security hole). Order Deny,Allow Deny from all
PmWiki automatically places such a file in wiki.d, but this protection is inactive if per-directory overriding is disabled in the Apache configuration, see the section on AllowOverride below.
In the Apache 2 ".htaccess" tutorial (http://httpd.apache.org/docs-2.0/howto/htaccess.html) they suggest that to improve performance, all the configuration done using per-directory .htaccess files should be moved into the main httpd.conf file. However, if you do not have access to httpd.conf, the only choice you have is to use .htaccess. There is also some debate as to how much of a performance hit .htaccess processing creates.
.htaccess is dependent on correct setting of AllowOverride
Be very cautious with the use of .htaccess to implement your wiki security!
If you use .htaccess rules to protect against unauthorized access of sensitive files in you wiki, make very sure the configuration of your Apache web server has allowed the use of .htaccess . In particular, make sure the web server configuration has the
When this directive is set to None, then .htaccess files are completely ignored. Probably some directories that shouldn't be accessible are publicly accessible by anonymous (not-logged-in) users!
There are some Linux distro's , for example Ubuntu, where the out-of-the-box configuration of Apache2 has set
<directory /home/paul/wiki/> AllowOverride All .. </directory>
or at least like this:
<directory /home/paul/wiki/> AllowOverride FileInfo Limit .. </directory>