massive patchqueue reorg

[ikiwiki.git] / doc / todo / enable-htaccess-files.mdwn

diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
new file mode 100644 (file)
index 0000000..accd96b
--- /dev/null
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -0,0 +1,29 @@
+    Index: IkiWiki.pm
+    ===================================================================
+    --- IkiWiki.pm  (revision 2981)
+    +++ IkiWiki.pm  (working copy)
+    @@ -26,7 +26,7 @@
+     memoize("file_pruned");
+     
+     sub defaultconfig () { #{{{
+    -       wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
+    +       wiki_file_prune_regexps => [qr/\.\./, qr/^\.(?!htaccess)/, qr/\/\.(?!htaccess)/,
+                    qr/\.x?html?$/, qr/\.ikiwiki-new$/,
+                    qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
+           wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,
+
+[[tag patch]]
+
+This lets the site administrator have a `.htaccess` file in their underlay
+directory, say, then get it copied over when the wiki is built. Without
+this, installations that are located at the root of a domain don't get the
+benefit of `.htaccess` such as improved directory listings, IP blocking,
+URL rewriting, authorisation, etc. 
+
+> I'm concerned about security ramifications of this patch. While ikiwiki
+> won't allow editing such a .htaccess file in the web interface, it would
+> be possible for a user who has svn commit access to the wiki to use it to
+> add a .htaccess file that does $EVIL.
+> 
+> Perhaps this should be something that is configurable via the setup file
+> instead. --[[Joey]]