UserGuide: How to use PROTECTED_READ

This revision is from 2009/03/28 23:53. You can Restore it.

If you want to keep your pages (content) private, you can use config option $PROTECTED_READ. If you use Apache server and have enabled .htaccess files, you don't need to read on, it will be secure without any modifications.

How does it work(Edit)

Very simply. LionWiki just denies every access to the pages unless user entered password. However, because LionWiki doesn't use database and it stores all the pages in plain text files, one can access pages without invoking LionWiki (e.g. you can insert something like this in browser: [http://lionwiki.0o.cz/pages/Main+page.txt].

How to solve this security hole?

Solutions(Edit)

Apache + .htaccess(Edit)

In default distributions, directories pages, history and plugins/data contains .htaccess with following content:

deny from all

This causes that every browser request to any file, directory or files in directories (and so on) are denied. This works for every Apache installation with .htaccess support enabled (absolute majority of sites I guess). As far as I know, Microsoft IIS has some support for .htaccess too, but I don't have any installation to test this.

Changing $BASE_DIR(Edit)

$BASE_DIR contains path to the directory which contains pages and history directories. It's empty by default so LionWiki search for these directories in the current directory.

If you move pages and history directory to some directory which is inaccessible to the browser, you're perfectly secure too. This works on all platforms.

Renaming pages and history dirs to something unpredictable(Edit)

If you just rename these directories to something like "history%$*&()4564" then attacker won't be able to guess right path to the pages and history dir and therefore your data will be secure. This is not as secure as two options mentioned above, but it's quite easy.

Of course, you must change $PAGES_DIR and $HISTORY_DIR in your config file to the right values.

Other ways(Edit)

There are other ways to fix this problem (e.g. with right file permissions) but I'm too tired to describe them all.

Tags: