From 16112c32941a417c17ed5b2b6d503cd77ba1b8e3 Mon Sep 17 00:00:00 2001 From: joey Date: Sun, 18 Mar 2007 22:27:09 +0000 Subject: [PATCH 1/1] response --- debian/changelog | 2 +- doc/patchqueue/enable-htaccess-files.mdwn | 14 +++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 0d92b5175..26aaad53b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,7 +13,7 @@ ikiwiki (1.46) UNRELEASED; urgency=low * Applied a patch from Michał to make the mercurial backend pass --quiet to hg. - -- Joey Hess Sat, 17 Mar 2007 19:56:04 -0400 + -- Joey Hess Sun, 18 Mar 2007 18:22:12 -0400 ikiwiki (1.45) unstable; urgency=low diff --git a/doc/patchqueue/enable-htaccess-files.mdwn b/doc/patchqueue/enable-htaccess-files.mdwn index cb034fadf..ed968b195 100644 --- a/doc/patchqueue/enable-htaccess-files.mdwn +++ b/doc/patchqueue/enable-htaccess-files.mdwn @@ -13,4 +13,16 @@ wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/, -This lets the site administrator have a `.htaccess` file in their underlay directory, say, then get it copied over when the wiki is built. Without this, installations that are located at the root of a domain don't get the benefit of `.htaccess` such as improved directory listings, IP blocking, URL rewriting, authorisation, etc. \ No newline at end of file +This lets the site administrator have a `.htaccess` file in their underlay +directory, say, then get it copied over when the wiki is built. Without +this, installations that are located at the root of a domain don't get the +benefit of `.htaccess` such as improved directory listings, IP blocking, +URL rewriting, authorisation, etc. + +> I'm concerned about security ramifications of this patch. While ikiwiki +> won't allow editing such a .htaccess file in the web interface, it would +> be possible for a user who has svn commit access to the wiki to use it to +> add a .htaccess file that does $EVIL. +> +> Perhaps this should be something that is configurable via the setup file +> instead. --[[Joey]] -- 2.45.0