Menu
▾
▴
phpwiki-talk
|
From: Jim C. <ji...@iN...> - 2004-05-14 03:53:58
|
By default, the 1.3.10 config.ini is placed within the public webspace
for the wiki.
This means that it can be retrieved by anyone asking for
http://<wikiname>/config/config.ini
I don't feel very confortable about allowing that file to be returned by
the web server, so I moved mine outside the DocumentRoot for my site,
and amended the wiki index.php :-
#IniConfig(dirname(__FILE__)."/config/config.ini");
IniConfig("/var/www/docs/<site>/wiki-config.ini");
Now, I expect that as PHP has to read this file, Apache can access it
too, but because it's not within the DocumentRoot (in my case
/var/www/docs/<site>/www) it is protected well-enough.
The most sensitive piece of data in there would be the dsn password,
which should have been locked down to the webhost only anyway, but that
won't protect against users who share a common machine with others.
--
-jim cheetham :: ji...@iN... :: m+64 21 177 8606
iNode :: effective computing in an interconnected world
|
|
From: Matthew P. <mp...@he...> - 2004-05-14 04:54:41
|
On Fri, May 14, 2004 at 03:53:45PM +1200, Jim Cheetham wrote:
> I don't feel very confortable about allowing that file to be returned by
> the web server, so I moved mine outside the DocumentRoot for my site,
> and amended the wiki index.php :-
>
> #IniConfig(dirname(__FILE__)."/config/config.ini");
> IniConfig("/var/www/docs/<site>/wiki-config.ini");
I'd recommend placing it in /etc/phpwiki, along with the apache config
snippet and any other relevant files. That's a nice default, BTW.
Alternatively, you could .htaccess the config directory out of reach of web
browsers.
- Matt
--
"Alas, slideware often reduces the analytical quality of presentations. In
particular, the popular PowerPoint templates (ready-made designs) usually
weaken verbal and spatial reasoning, and almost always corrupt statistical
analysis." -- http://www.edwardtufte.com/tufte/books_pp
|
|
From: Reini U. <ru...@x-...> - 2004-05-14 10:15:26
|
Jim Cheetham schrieb:
> By default, the 1.3.10 config.ini is placed within the public webspace
> for the wiki.
Oops, please everybody copy lib/.htaccess to config/
$ cp lib/.htaccess config/
> This means that it can be retrieved by anyone asking for
> http://<wikiname>/config/config.ini
>
> I don't feel very confortable about allowing that file to be returned by
> the web server, so I moved mine outside the DocumentRoot for my site,
> and amended the wiki index.php :-
>
> #IniConfig(dirname(__FILE__)."/config/config.ini");
> IniConfig("/var/www/docs/<site>/wiki-config.ini");
Matthew Palmers suggestion (the debian maintainer) to put it into
/etc/phpwiki/config.ini is also fine, provided that the apache user has
read permissions.
> Now, I expect that as PHP has to read this file, Apache can access it
> too, but because it's not within the DocumentRoot (in my case
> /var/www/docs/<site>/www) it is protected well-enough.
>
> The most sensitive piece of data in there would be the dsn password,
> which should have been locked down to the webhost only anyway, but that
> won't protect against users who share a common machine with others.
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
|
|
From: Jim C. <ji...@in...> - 2004-05-21 10:00:26
|
On May 14, 2004, at 3:53 PM, Jim Cheetham wrote: > By default, the 1.3.10 config.ini is placed within the public webspace > for the wiki. > > This means that it can be retrieved by anyone asking for > http://<wikiname>/config/config.ini Well, more accurately, if your Apache webserver's httpd.conf doesn't have AllowOverride AuthConfig Limit in a <Directory> element relevant to your wiki location, it can be retrieved by anyone. -jim |
|
From: Reini U. <ru...@x-...> - 2004-05-21 10:42:12
|
Jim Cheetham schrieb: > On May 14, 2004, at 3:53 PM, Jim Cheetham wrote: >> By default, the 1.3.10 config.ini is placed within the public webspace >> for the wiki. >> >> This means that it can be retrieved by anyone asking for >> http://<wikiname>/config/config.ini > > > Well, more accurately, if your Apache webserver's httpd.conf doesn't have > AllowOverride AuthConfig Limit > in a <Directory> element relevant to your wiki location, it can be > retrieved by anyone. But it's trivial to move config/ outside the webtree. There is just one place where it's used, in index.php. Debian for example will most likely put it into /etc/phpwiki/config.ini This could be added to the INSTALL doc. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: Jim C. <ji...@in...> - 2004-05-21 22:21:57
|
On May 21, 2004, at 10:44 PM, Reini Urban wrote: > Jim Cheetham schrieb: >> On May 14, 2004, at 3:53 PM, Jim Cheetham wrote: > But it's trivial to move config/ outside the webtree. > There is just one place where it's used, in index.php. > > Debian for example will most likely put it into /etc/phpwiki/config.ini > How difficult would it be to virtualise the entire wiki? I'd like to be able to install the Debian package once, probably into /usr/share/phpwiki/ ... and then in various VirtualHosts be able to declare a (uniquely-named) wiki, that would be able to pick a different config file (and possibly a different 'additional lib' for plugins) ... Perhaps that would live better in an index.php file ... <?php PhpWiki config="UniqueWiki1" ?> Then one package upgrade in /usr/share/phpwiki would effectively upgrade every wiki instance on my server. -jim |
|
From: Matthew P. <mp...@de...> - 2004-05-21 23:23:28
|
On Sat, May 22, 2004 at 10:18:59AM +1200, Jim Cheetham wrote: > How difficult would it be to virtualise the entire wiki? I'd like to be > able to install the Debian package once, probably into > /usr/share/phpwiki/ ... and then in various VirtualHosts be able to > declare a (uniquely-named) wiki, that would be able to pick a different > config file (and possibly a different 'additional lib' for plugins) ... As it stands, it wouldn't be particularly simple, because PHPWiki does everything from it's index file, which is hardcoded to look for it's config file in one place. We need to tell index.php to get it's config from different places depending on which virtual instance invoked it for this particular run. What I have just recently done for another project is to create multiple configuration instances by indexing a config file by a unique substring of the URL. So, if you've got two PHPWiki sites http://www.site.com/wiki and http://www.site.com/otherwiki, your config sections would be linked to '/wiki' and '/otherwiki'. Similarly, If they're on different virtual hosts entirely, you can have your sections as 'site1.com' and 'site2.com' if they're the unique substrings. This is cute because it requires nothing more than to set up another section in your config file for the new vhost and add an alias. It's a PITA for PHPWiki because it would almost certainly mean a new config file to handle the substring => config file mapping, as you wouldn't want multiple PHPWiki configs in the one file (it'd be a little long and confusing). Another method, if you wanted it, that would work in PHPWiki more or less as-is, would be to use the other method I devised for the above project (which I didn't use as the substring method was more appropriate in that case). Create a constant, perhaps called __CONFIGURED, that will be defined true once all of the appropriate config statements have been processed. Then, tell index.php not to call IniConfig() (or tell IniConfig() not to do anything) if __CONFIGURED is defined. How does this help? Because you put something like the following in your apache.conf for each of the virtualised PHPWiki instances: php_value auto_prepend_file /some/config/file.php Where /some/config/file.php is unique for each instance, and contains pretty much the following code: require_once '/usr/share/phpwiki/lib/IniConfig.php'; IniConfig('/some/config/file.ini'); define('__CONFIGURED', true); Again, where /some/config/file.ini is unique to that virtual instance of PHPWiki and filled with lovely local-specific config options. You then point each virtual instance of PHPWiki at /usr/share/phpwiki for it's code, index.php runs for everyone but skips the default config for your virtual instances because __CONFIGURED is defined, and IniConfig() has previously run with your per-instance config file. If you're interested in using this method (which I think may be the better option for PHPWiki), I'm happy to patch index.php in Debian to support this, as it doesn't break anything in the default case (single instance, config in /etc/phpwiki/config.ini). - Matt |
|
From: Jim C. <ji...@in...> - 2004-05-22 06:38:37
|
On May 22, 2004, at 11:22 AM, Matthew Palmer wrote:
> On Sat, May 22, 2004 at 10:18:59AM +1200, Jim Cheetham wrote:
>> How difficult would it be to virtualise the entire wiki?
>
> php_value auto_prepend_file /some/config/file.php
>
> Where /some/config/file.php is unique for each instance, and contains
> pretty
> much the following code:
>
> require_once '/usr/share/phpwiki/lib/IniConfig.php';
> IniConfig('/some/config/file.ini');
> define('__CONFIGURED', true);
>
This sounds like an interesting approach, and something I can keep in
mind for other projects, too :-)
I'd like to see this in phpwiki, but from your description I can
happily add it to my own copies. I don't really know whether such a
modification should be in the Debian version if it's not in the main
project, but that's not my call ...
-jim
|
|
From: Reini U. <ru...@x-...> - 2004-05-22 09:33:17
|
Much easier would it be as we do it on sf.net with the demo wiki. Or at m= y test site. This explanation is also somewhere at the phpwiki site, and asked multipl= e times. We have a bunch of small scripts without extensions like 'en', 'de', 'macosx', 'sidebar', 'pear', 'adodb' and so on. Each of these files has the php handler attached in the .htaccess file, and overrides some config values, loads the phpwiki index.php, overrides some other variables, and loads lib/main.php. en: <?php // -*-php-*- // CONSTANTS as default wiki overrides before: define('WIKI_NAME', 'PhpWikiDemo:'.basename(__FILE__)); define('VIRTUAL_PATH', $_SERVER['SCRIPT_NAME']); define('CHARSET','utf-8'); include "index.php"; // other VARIABLE overrides here: include "lib/main.php"; ?> This way you keep the site configuration in config.ini, and some special constants, like VIRTUAL_PATH, WIKI_NAME, DEFAULT_PGSRC, $LANG, CHARSET, and so on in the various loaders. See PrettyWiki. And don't really like Matthews idea. Different lib is impossible om the same phpwiki, please rename special plugins then. different config files are also easy, but generally not needed. see the content of index.php. These four lines could go into your start script if you really need different config files. But you have to declare PHPWIKI_DIR and DATA_PATH then, because you started phpwiki out of the phpwiki directory. > On Sat, May 22, 2004 at 10:18:59AM +1200, Jim Cheetham wrote: >> How difficult would it be to virtualise the entire wiki? I'd like to b= e >> able to install the Debian package once, probably into >> /usr/share/phpwiki/ ... and then in various VirtualHosts be able to >> declare a (uniquely-named) wiki, that would be able to pick a differen= t >> config file (and possibly a different 'additional lib' for plugins) ..= . > > As it stands, it wouldn't be particularly simple, because PHPWiki does > everything from it's index file, which is hardcoded to look for it's > config file in one place. We need to tell index.php to get it's config > from > different places depending on which virtual instance invoked it for thi= s > particular run. > > What I have just recently done for another project is to create multipl= e > configuration instances by indexing a config file by a unique substring= of > the URL. So, if you've got two PHPWiki sites http://www.site.com/wiki = and > http://www.site.com/otherwiki, your config sections would be linked to > '/wiki' and '/otherwiki'. Similarly, If they're on different virtual > hosts > entirely, you can have your sections as 'site1.com' and 'site2.com' if > they're the unique substrings. > > This is cute because it requires nothing more than to set up another > section > in your config file for the new vhost and add an alias. It's a PITA fo= r > PHPWiki because it would almost certainly mean a new config file to han= dle > the substring =3D> config file mapping, as you wouldn't want multiple > PHPWiki > configs in the one file (it'd be a little long and confusing). > > Another method, if you wanted it, that would work in PHPWiki more or le= ss > as-is, would be to use the other method I devised for the above project > (which I didn't use as the substring method was more appropriate in tha= t > case). Create a constant, perhaps called __CONFIGURED, that will be > defined > true once all of the appropriate config statements have been processed. > Then, tell index.php not to call IniConfig() (or tell IniConfig() not t= o > do > anything) if __CONFIGURED is defined. > > How does this help? Because you put something like the following in yo= ur > apache.conf for each of the virtualised PHPWiki instances: > > php_value auto_prepend_file /some/config/file.php > > Where /some/config/file.php is unique for each instance, and contains > pretty > much the following code: > > require_once '/usr/share/phpwiki/lib/IniConfig.php'; > IniConfig('/some/config/file.ini'); > define('__CONFIGURED', true); > > Again, where /some/config/file.ini is unique to that virtual instance o= f > PHPWiki and filled with lovely local-specific config options. > > You then point each virtual instance of PHPWiki at /usr/share/phpwiki f= or > it's code, index.php runs for everyone but skips the default config for > your > virtual instances because __CONFIGURED is defined, and IniConfig() has > previously run with your per-instance config file. > > If you're interested in using this method (which I think may be the bet= ter > option for PHPWiki), I'm happy to patch index.php in Debian to support > this, > as it doesn't break anything in the default case (single instance, conf= ig > in > /etc/phpwiki/config.ini). |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X