Friday, June 6, 2008

.htaccess files in MediaWiki

I just did yet another installation of MediaWiki, and once again I have a bunch of .htaccess files laying around in the wiki directory. Since I don't believe in .htaccess files unless they're absolutely necessary, I decided to clean them up. Hopefully this will help other admins that want to do the same.

Here are the files that I found after the install using find . -name ".htaccess":

./math/.htaccess
./includes/.htaccess
./maintenance/.htaccess
./maintenance/archives/.htaccess
./languages/.htaccess
./tests/.htaccess

Each of these looks like a directory that we want to keep people out of. And, amazingly enough, each file only has a single line in it: Deny from all. This would normally be a good thing, but it does have a problem: the .htaccess file itself.

I've been very careful to set AllowOverride None in my httpd.conf file. This means that .htaccess files won't even be used. I also don't allow directory indexes by default, so this isn't an issue if somebody types in one of those directories manually. But if they type the name of the file by hand, they can still get to it.

It's tedius, but easy enough to fix. Just paste these lines into your httpd.conf, making sure of course to fix the paths to fit your needs:

<Directory /var/www/html/mediawiki/math>
Order allow,deny
Deny from all
</Directory>
<Directory /var/www/html/mediawiki/includes>
Order allow,deny
Deny from all
</Directory>
<Directory /var/www/html/mediawiki/maintenance>
Order allow,deny
Deny from all
</Directory>
<Directory /var/www/html/mediawiki/maintenance/archives>
Order allow,deny
Deny from all
</Directory>
<Directory /var/www/html/mediawiki/languages>
Order allow,deny
Deny from all
</Directory>
<Directory /var/www/html/mediawiki/tests>
Order allow,deny
Deny from all
</Directory>

This will take care of the access control that those files were supposed to provide without having the performance and security compromises that those would have caused.

No comments:

Post a Comment

Comments for posts over 14 days are moderated

Note: Only a member of this blog may post a comment.