Feature Proposal: Security: Don't expose twiki root directory as html doc root
Make a TWiki installation less likely to expose content by accident.
Description and Documentation
Currently, the twiki root is configured as an html doc root in Apache's twiki.conf. For secturity, sub directories need to be excluded explicitly, such as twiki/data. If an admin adds a new subdir (for example as when installing an extension, such as Kino search), that dir needs to be excluded as well. This is easy to forget.
It is much safer to not
expose the twiki root as html doc root. Only two dirs need to be exposed:
twiki/pub should be html doc root enabled
twiki/bin needs to be cgi-bin enabled
While at it, we should clean up the twiki root dir, and make it easier to install TWiki.
- update twiki.conf
- update installation docs and upgrade doc
- update release notes
- update apache config generator on twiki.org
- replace .html docs in twiki root with .txt version (move to subdir?)
I propose to introduce this in the next patch release, e.g. 4.3.1.
-- Contributors: PeterThoeny
Accepted at HelsinkiReleaseMeeting2009x04x20
- No need to update installation and upgrade docs
- No needs to update release notes
- Updated TWiki.ApacheConfigGenerator