Tags:
create new tag
, view all tags

Feature Proposal: Security: Don't expose twiki root directory as html doc root

Motivation

Make a TWiki installation less likely to expose content by accident.

Description and Documentation

Currently, the twiki root is configured as an html doc root in Apache's twiki.conf. For secturity, sub directories need to be excluded explicitly, such as twiki/data. If an admin adds a new subdir (for example as when installing an extension, such as Kino search), that dir needs to be excluded as well. This is easy to forget.

It is much safer to not expose the twiki root as html doc root. Only two dirs need to be exposed:

  • twiki/pub should be html doc root enabled
  • twiki/bin needs to be cgi-bin enabled

While at it, we should clean up the twiki root dir, and make it easier to install TWiki.

Impact

WhatDoesItAffect: Install

Implementation

To do:

  • update twiki.conf
  • update installation docs and upgrade doc
  • update release notes
  • update apache config generator on twiki.org
  • replace .html docs in twiki root with .txt version (move to subdir?)

I propose to introduce this in the next patch release, e.g. 4.3.1.

-- Contributors: PeterThoeny - 2009-04-10

Discussion

Accepted at HelsinkiReleaseMeeting2009x04x20.

-- PeterThoeny - 2009-04-20

  • Updated twiki/twiki_httpd_conf.txt
  • No need to update installation and upgrade docs
  • No needs to update release notes
  • Updated TWiki.ApacheConfigGenerator

-- PeterThoeny - 2009-10-26

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2009-10-26 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.