01345: Wording in .htaccess
The bundled .htaccess in /scripts reads as though it's the one in /cookbook...
Also, the wording is perhaps not correct, where "albeit unlikely" should be removed. (Based on an edit made by Petko here.)
# This file is cookbook/.htaccess -- the default distribution contains this # file to prevent cookbook/ scripts from being accessed directly by browsers # (this is a potential, albeit very unlikely, security hole). # # If you alter or replace this file, it will likely be overwritten when # you upgrade from one version of PmWiki to another. Be sure to save # a copy of your alterations in another location so you can restore them, # and you might try changing this file to be read-only to prevent a PmWiki # upgrade from overwriting your altered version. Order Deny,Allow Deny from all
# This file is scripts/.htaccess -- the default distribution contains this # file to prevent scripts/ scripts from being accessed directly by browsers. # (This is a potential security hole.) # # If you alter or replace this file, it will likely be overwritten when # you upgrade from one version of PmWiki to another. Be sure to save # a copy of your alterations in another location so you can restore them, # and you might try changing this file to be read-only to prevent a PmWiki # upgrade from overwriting your altered version. Order Deny,Allow Deny from all
-HaganFox May 31, 2014, at 02:46 AM
Changed "cookbook/" with "scripts/". For these two directories, the potential security hole is indeed unlikely. I've removed the "very unlikely" part from the Cookbook recipe because of the wiki.d directory. If people think they are protecting some pages with passwords but wiki.d is accessible, the security hole is not only potential, it is real. --Petko May 31, 2014, at 04:31 AM
Correct me if I'm wrong, please: An administrator doesn't need to put an .htaccess file in wiki.d/ because
- it's put there automatically when wiki.d/ is created, and
- if .htaccess in wiki.d/ is deleted, it will be replaced automatically by PmWiki.
You are not completely wrong - a .htaccess will be added not immediately after such a file is removed, but only when PmWiki is saving a page. It is also worth noting that the mere fact that PmWiki puts a .htaccess in the directory does not always guarantee that the directory is protected. The server has to be Apache, and its settings have to allow .htaccess files to be used as per-directory configuration. This is not always the case, hence an entire section in Cookbook:WebServerSecurity. --Petko June 01, 2014, at 03:20 PM
A scenario of a somehow-disappearing .htaccess file can be contrived, yes. It's hard to imagine how that would happen other than someone deleting it. The advice then, if any, should be "Be sure not to delete .htaccess from wiki.d/ - if you do it will be added back by PmWiki the first time a page is saved". As for your second point, if .htaccess doesn't protect the directory, why would you ever tell someone they need to put an .htaccess file in the directory? To the contrary, that advice could lead a newbie administrator into a false sense of security.
I'm not sure why you keep deflecting over to that orthogonal section, which is contradictory to your assertion that I'm "not completely wrong".. I'm trying to discuss my original question: whether administrators need to concern themselves with manually adding .htaccess in wiki.d/. I think not. The probability of that being a concern isn't zero, but it's pretty close. They'd need to have a wiki where (1) pages are not being written and (2) the .htaccess file that was there as of the last page-write has been deleted. There are *much* more important things to mention on that recipe's page, including the section you keep referring to. (Mentioning the uploads/ directory & discussing a protective index.php file to deny dir-listings come to mind... How about suggesting moving the pagestore outside the web document tree entirely?) No worries.. I'll edit the page some more in the next day or so and create a -Talk page for discussion about it. All will be rosy and wikiadmins will sleep well in peace. :-)
I totally agree with you, in fact, I'm trying to say exactly the same thing you wrote -- obviously failing, not sure why. If you feel your original request in this PITS entry requires something else from me, please reopen it. --Petko June 02, 2014, at 01:49 AM