[pmwiki-users] Images in another group
H. Fox
haganfox at users.sourceforge.net
Wed Dec 7 18:07:18 CST 2005
On 12/7/05, Tegan Dowling <tmdowling at gmail.com> wrote:
> Would this be more secure than the .htaccess method?
It could be slightly more secure.
One reason: If the web server were unknowingly be re-configured not
to honor the .htaccess method (by changing Apache's AllowOverride
and/or AccessFileName directives) the .htaccess method could quit
working, rendering the files accessible via direct download by knowing
or guessing that, for example, this file
http://www.pmwiki.org/wiki/Cookbook/LightSkin?action=download&upname=xhtml-valid.png
is located here
http://www.pmwiki.org/pmwiki/uploads/Cookbook/xhtml-valid.png
Another reason: Someone with another user account on the system can
sometimes read files from your web document tree. Putting the files
elsewhere might make it possible to read-protect them more
effectively.
These reasons don't mean the .htaccess method isn't "good enough"
though. Disclaimer: they're off the top of my head. Others (Pm, Jo)
would be able to differentiate the security ramifications of two
approaches more thoroughly.
> Would it be the same
> from the user's point of view?
Yes.
Hagan
> On 12/7/05, H. Fox < haganfox at users.sourceforge.net> wrote:
> >
> > On 12/7/05, Patrick R. Michaud < pmichaud at pobox.com> wrote:
> > > Thus, if the wiki administrator turns off access to uploads via
> > > direct url (e.g., via a .htaccess file or equivalent),
> >
> > Another method, which isn't equivalent but has the same effect
> > (disallowing direct access to uploaded files), would be to move
> > uploads outside your web server's document tree. You can use
> >
> > $UploadDir =
> '/some/path/the/server/won't/serve/from/uploads';
> >
> > PmWiki can run with all script-written files stored outside the web
> > document tree, which is pretty impressive. For a clunky method of
> > setting this up, see
> > http://www.pmwiki.org/wiki/Cookbook/SourceForgeServers
> >
> > Hagan
> >
> > > then the only
> > > way to access uploaded files will be by using ?action=download on a
> > > page, and this will require read permission to the page.
> > >
> > > Hope this helps...?
> > >
> > > Pm
More information about the pmwiki-users
mailing list