From: <de...@de...> - 2009-11-06 23:26:14
|
Author: PeterThoeny Date: 2009-11-06 17:26:02 -0600 (Fri, 06 Nov 2009) New Revision: 18203 Trac url: http://develop.twiki.org/trac/changeset/18203 Modified: twiki/branches/TWikiRelease04x03/data/TWiki/TWikiAccessControl.txt Log: Item6318: Improved docs on securing file attachments Modified: twiki/branches/TWikiRelease04x03/data/TWiki/TWikiAccessControl.txt =================================================================== --- twiki/branches/TWikiRelease04x03/data/TWiki/TWikiAccessControl.txt 2009-11-06 23:25:04 UTC (rev 18202) +++ twiki/branches/TWikiRelease04x03/data/TWiki/TWikiAccessControl.txt 2009-11-06 23:26:02 UTC (rev 18203) @@ -1,5 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1236112853" format="1.1" version="$Rev$"}% -%STARTINCLUDE% +%META:TOPICINFO{author="TWikiContributor" date="1257549712" format="1.1" version="$Rev$"}% ---+ TWiki Access Control _Restricting read and write access to topics and webs, by Users and groups_ @@ -140,25 +139,31 @@ See "How TWiki evaluates ALLOW/DENY settings" below for more on how ALLOW and DENY interacts. #ControllingAttachments ----+++ Controlling access to Attachments +#SecuringAttachments +---+++ Securing File Attachments -Attachments are referred to directly, and are not normally indirected via TWiki scripts. This means that the above instructions for access control will _not_ apply to attachments. It is possible that someone may inadvertently publicise a URL that they expected to be access-controlled. +By default, TWiki does not secure file attachments. Without making the following changes to the twiki.conf file, it is possible for anyone who has access to the server to gain access to an attachment if they know the attachment's fully qualified path, even though access to the topic associated with the attachment is secured. This is because attachments are referred to directly by Apache, and are not by default delivered via TWiki scripts. This means that the above instructions for controlling to topics do __not__ apply to attachments unless you make the changes as described below. -The easiest way to apply the same access control rules for attachments as apply to topics is to use the Apache =mod_rewrite= module, and configure your webserver to redirect accesses to attachments to the TWiki =viewfile= script. For example, +An effective way to secure attachments is to apply the same access control settings to attachments as those applied to topics. This security enhancement can be accomplished by instructing the webserver via Apache's =mod_rewrite= module to redirect accesses to attachments via the TWiki =viewfile= script, which honors the TWiki access controls settings to topics. +The preferred method to secure attachments is by editing the =twiki.conf= file to include: + <verbatim> ScriptAlias /twiki/bin/ /filesystem/path/to/twiki/bin/ Alias /twiki/pub/ /filesystem/path/to/twiki/pub/ RewriteEngine on - RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+TWiki/+.+ - RewriteRule ^/+twiki/+pub/+([^/]+)/+((([^/]+)/+)+)(.+) /twiki/bin/viewfile/$1/$4?filename=$5 [L,PT] + RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Sandbox)/+.+ + RewriteRule ^/+twiki/+pub/+(.*)$ /twiki/bin/viewfile/$1 [L,PT] </verbatim> -That way all the controls that apply to the topic also apply to attachments to the topic. Other types of webserver have similar support. +__Notes:__ + * You can use TWiki:TWiki/ApacheConfigGenerator to generate the Apache config file for TWiki. + * You will need to restart your Apache server after this change. + * Images embedded in topics will load slower since attached images will also be delivered by the =viewfile= script. The TWiki web and Sandbox web are excluded for performance reasons. + * As an alternative to editing the =twiki.conf= file used by Apache, you can make the same change directly to the =.htaccess= file in the =/twiki/bin= directory. + * The =viewfile= script sets the mime type based upon file name suffix. Unknown types are served as text/plain which can result in corrupt files. -__Note:__ Images embedded in topics will load much slower since each image will be delivered by the =viewfile= script. - #RootWebs ---+++ Controlling who can manage top-level webs |