Tags:
create new tag
, view all tags

Question

I noted that the default .htaccess specifies a <Files stanza for several scripts (edit, preview, save, attach, upload, rename, installpasswd) to declare the same thing, 'require valid-user'.

While I was tweaking my ModPerl setup I needed to explicitly define what scripts were to run under ModPerl. A similer situation (where each program was to have a stanza of settings).

Long story short...

I took:

<Files "edit">
       require valid-user
</Files>

<Files "preview">
       require valid-user
</Files>

<Files "save">
       require valid-user
</Files>

<Files "attach">
       require valid-user
</Files>

<Files "upload">
       require valid-user
</Files>

<Files "rename">
       require valid-user
</Files>

<Files "installpasswd">
       require valid-user
</Files>

And made it:

<FilesMatch "^(edit|preview|save|attach|upload|rename|installpasswd)$">
        require valid-user
</FilesMatch>

My question being is any sanity/time/space really be saveed by the above?

  • TWiki version: [Version: 01 Dec 2001]
  • Web server: Apache/1.3.26 (Unix) mod_perl/1.27 mod_ssl/2.8.10 OpenSSL/0.9.6a
  • Server OS: FreeBSD 4.6-STABLE
  • Web browser: IE 6.0
  • Client OS: XP/Home

-- DrewCard - 27 Jul 2002

Answer

Moved from Support since this is a Codev issue. It is somewhat more elegant to list the files like this, so we might as well do it - easier to add a script, at least.

-- RichardDonkin - 27 Jul 2002

Originally I felt it would be better to specify the indiviual programs explicitly. When I tried to specify the multiple files originally in a <file stanza like:

<files "edit" "preview" _etc_ >
earned me an error...

[Sat Jul 27 11:04:29 2002] [alert] [client XXX.XXX.XXX.XXX] /usr/local/www/twiki/bin/.htaccess: Multiple <Files> arguments not (yet) supported.

Thus leading me to the regular expression style.

-- DrewCard - 05 Aug 2002

It seems to me that if you choose to require a valid-user, you would want to protect all of the scripts in the bin directory. Identifying them explicitly in the conf can create holes in your security if you add plugins or other scripts into that bin dir and forget to modify your config. I would suggest the following if you're using Apache 2.0 or greater:

    <FilesMatch "^(?!oops)">
        require valid-user
    </FilesMatch>

-- MichaelKeenan - 22 Nov 2003

MichaelKeenan: In some corporate environments, the ability to read from the server is determined by whether you can connect to it; you only need to authenticate to edit things (so that revision control works, for example). Forcing a login for all scripts is overkill, and causes trouble with less technical users - they tend not to listen when they're told that just reading pages can expose their login for editing use, but can make the link between logging in to make changes, and needing to log out.

-- SimonFarnsworth - 08 Sep 2005

Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2005-09-08 - SimonFarnsworth
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.