safe => 0, # paranoia
rebuild => 0,
},
+ include => {
+ type => "string",
+ default => undef,
+ example => '^\.htaccess$',
+ description => "regexp of normally ignored source files to include",
+ advanced => 1,
+ safe => 0, # regexp
+ rebuild => 1,
+ },
exclude => {
type => "string",
default => undef,
$file =~ s#^\Q$base\E/+##;
}
+ if (defined $config{include} && length $config{include}) {
+ return 0 if $file =~ m/$config{include}/;
+ }
+
my $regexp='('.join('|', @{$config{wiki_file_prune_regexps}}).')';
return $file =~ m/$regexp/;
}
as used by yahoo and google urls.
* Add complete German basewiki and directives translation done by
Sebastian Kuhnert.
+ * Add a include setting, which can be used to make ikiwiki process
+ wiki source files, such as .htaccess, that would normally be skipped
+ for security or other reasons. Closes: #447267
+ (Thanks to Aaron Wilson for the original patch.)
-- Joey Hess <joeyh@debian.org> Sat, 13 Mar 2010 14:48:10 -0500
--- /dev/null
+If you try to include a `.htaccess` file in your wiki's source, in order to
+configure the web server, you'll find that ikiwiki excludes it from
+processing. In fact, ikiwiki excludes any file starting with a dot, as well
+as a lot of other files, for good security reasons.
+
+You can tell ikiwiki not to exclude the .htaccess file by adding this to
+your setup file:
+
+ include => '^\.htaccess$',
+
+Caution! Before you do that, please think for a minute about who can edit
+your wiki. Are attachment uploads enabled? Can users commit changes
+directly to the version control system? Do you trust everyone who can
+make a change to not do Bad Things with the htaccess file? Do you trust
+everyone who *might* be able to make a change in the future? Note that a
+determined attacker who can write to the htaccess file can probably get a
+shell on your web server.
+
+If any of these questions have given you pause, I suggest you find a
+different way to configure the web server. One way is to not put the
+`.htaccess` file under ikiwiki's control, and just manually install it
+in the destdir.
+
+[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
+says
+> In general, you should never use .htaccess files unless you don't have
+> access to the main server configuration file.
+This is good advice -- if you can edit apache's main configuration files,
+then you should not use a htaccess file.
+--[[Joey]]
+1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]
> I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]]
+
+---
+
+[[done]], you can use the `include` setting to override the default
+excludes now. Please use extreme caution when doing so. --[[Joey]]
Specifies a rexexp of source files to exclude from processing.
May be specified multiple times to add to exclude list.
+* --include regexp
+
+ Specifies a rexexp of source files, that would normally be excluded,
+ but that you wish to include in processing.
+ May be specified multiple times to add to include list.
+
* --adminuser name
Specifies a username of a user (or, if openid is enabled, an openid)
"exclude=s@" => sub {
push @{$config{wiki_file_prune_regexps}}, $_[1];
},
+ "include=s@" => sub {
+ $config{include}=defined $config{include} && length $config{include} ? "$config{include}|$_[1]" : $_[1];
+ },
"adminuser=s@" => sub {
push @{$config{adminuser}}, $_[1]
},