Index: IkiWiki.pm
===================================================================
--- IkiWiki.pm (revision 2981)
+++ IkiWiki.pm (working copy)
@@ -26,7 +26,7 @@
memoize("file_pruned");
sub defaultconfig () {
- wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
+ wiki_file_prune_regexps => [qr/\.\./, qr/^\.(?!htaccess)/, qr/\/\.(?!htaccess)/,
qr/\.x?html?$/, qr/\.ikiwiki-new$/,
qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,
Note that the above patch is completely broken. It removes the crucial excludes of all files starting with a dot. The negative regexps for htaccess have no effect, so the whole thing only "works" because it allows any file starting with a dot. If you applied this patch to your ikiwiki, you opened a huge security hole. --Joey
This lets the site administrator have a .htaccess file in their underlay
directory, say, then get it copied over when the wiki is built. Without
this, installations that are located at the root of a domain don't get the
benefit of .htaccess such as improved directory listings, IP blocking,
URL rewriting, authorisation, etc.
I'm concerned about security ramifications of this patch. While ikiwiki won't allow editing such a .htaccess file in the web interface, it would be possible for a user who has svn commit access to the wiki to use it to add a .htaccess file that does $EVIL.
Perhaps this should be something that is configurable via the setup file instead. --Joey
See
Hi, I would like to have my htaccess files in svn repository so ikiwiki would export that file to my webspace with every commit.
That way I have revision control on that file too. That may be a security concern, but I trust everybody that has svn commit access and such .htaccess files should not be accessible through wiki cgi. Of course, it could default to 'off'.
See Debian bug #447267 for a patch for this.
It looks to me as though this functionality won't be included in ikiwiki unless someone who wants it takes responsibility for updating the patch from that Debian bug to be applicable to current versions, so that there's a setup file parameter for extra filenames to allow, defaulting to none (i.e. a less simplistic patch than the one at the top of this page). Joey, is this an accurate summary? --smcv
bump! I would like to see some form of this functionality included in ikiwiki. I use a patched version, but
its a bit of a PITA to constantly apply it (and to forget sometimes!). I know that security concern is important to consider,
but I use ikiwiki with a very small group of people collaborating so svn/web access is under control
and htaccess is for limiting access to some areas of wiki.
It should be off by default of course. --Max
+1 I want .htaccess so I can rewrite some old Wordpress URLs to make feeds work again. --hendry
Unless you cannot modify apache's configuration, you do not need htaccess to do that. Apache's documentation recommends against using htaccess unless you're a user who cannot modify the main server configuration. --Joey
+1 for various purposes (but sometimes the filename isn't .htaccess, so please make it configurable) --schmonz
I've described a workaround for one use case at the rsync discussion page. --schmonz
done, you can use the include setting to override the default
excludes now. Please use extreme caution when doing so. --Joey