SID-00721: Securing Attachments

Status:	Unanswered	TWiki version:	4.3.2	Perl version:	5.8.8
Category:	CategoryAccessControl	Server OS:	Linux 2.6.18-53.1.14.el5pae	Last update:	16 years ago

We are using TWiki with TemplateLogin, and would like to secure our attachments. We are using the instructions at TWikiAccessControl

We are also using Godaddy shared linux hosting, so we don't have access to httpd.conf and can't restart the server. So, we want to use the .htaccess method. I know very little Perl, but have learned enough to edit these files successfully given instructions.

Problem is, the instructions say to "make the same change directly to the .htaccess file in the /twiki/bin directory". Since you can't use ScriptAlias or Alias in .htaccess, what do I need to do? Should I use Redirect?

Thanks, Rick

-- RickMartin - 2010-01-18

Discussion and Answer

Not sure if that works in the twiki/pub's .htaccess, but try adding the RewriteEngine, RewriteCond, RewriteRule directives as per TWikiAccessControl docs.

-- PeterThoeny - 2010-01-18

Thanks Peter,

Do you mean add the last three lines of the code at http://twiki.org/cgi-bin/view/TWiki/TWikiAccessControl#SecuringAttachments to BOTH twiki/bin/.htaccess and twiki/pub/.htaccess?

I had previously tried adding just the last three lines to only twiki/bin/.htaccess (because the instructions only specify that file). TWiki ran with no apparent errors, but attachments weren't secured. I suspect that would be because the script doesn't have the complete file path at this time because ScriptAlias and Alias hadn't set them.

Wouldn't I be able to just add the entire file path to the last RewriteCond and RewriteRule lines? If so, I'm not sure of syntax.

-- RickMartin - 2010-01-18

OK I added the following lines to twiki/pub/.htaccess:

RewriteEngine on
RewriteCond %{REQUEST_URI} !^(TWiki|Sandbox)/+.+
RewriteRule ^(.*)$ ../bin/viewfile/$1 [L,PT]

Attachments seem secure now. As expected, load times are slower.

There is one remaining issue though: load times are also slow in the TWiki and Sandbox webs ... but it seems like they shouldn't be. Further to that, it seems I should be able to apply this rule to ONLY the webs I specify by using something like:

RewriteCond %{REQUEST_URI} ^(MyWebName)/+.+

Any thoughts?

-- RickMartin - 2010-01-20

You need to match the RewriteCond with your actual pub path. For example, if your pub path for the Sandbox web is /twiki/pub/Sandbox, then your condition would be something like:

RewriteCond %{REQUEST_URI} !^/+twiki/+pub/+(TWiki|Sandbox)/+.+

If you want to secure ONLY one or two webs do as you wrote, or:

RewriteCond %{REQUEST_URI} ^/+twiki/+pub/+(MySecureA|MySecureB)/+.+

-- PeterThoeny - 2010-01-20

That didn't work unfortunately, and I tried a whole bunch of different variations and paths as well.

It's ok though, it's usable the way it is so I'll mark this question as Closed unanswered. I'll still check this occasionally, so If you think of anything in the meantime feel free to post.

Thanks muchly for your help.

-- RickMartin - 2010-02-04

Forgot to change status ...

-- RickMartin - 2010-02-04

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.