Index: IkiWiki.pm
===================================================================
--- IkiWiki.pm  (revision 2981)
+++ IkiWiki.pm  (working copy)
@@ -26,7 +26,7 @@
 memoize("file_pruned");

 sub defaultconfig () {
-       wiki_file_prune_regexps => [qr/\.\./, qr/^\./, qr/\/\./,
+       wiki_file_prune_regexps => [qr/\.\./, qr/^\.(?!htaccess)/, qr/\/\.(?!htaccess)/,
                qr/\.x?html?$/, qr/\.ikiwiki-new$/,
                qr/(^|\/).svn\//, qr/.arch-ids\//, qr/{arch}\//],
       wiki_link_regexp => qr/\[\[(?:([^\]\|]+)\|)?([^\s\]#]+)(?:#([^\s\]]+))?\]\]/,

Note that the above patch is completely broken. It removes the crucial excludes of all files starting with a dot. The negative regexps for htaccess have no effect, so the whole thing only "works" because it allows any file starting with a dot. If you applied this patch to your ikiwiki, you opened a huge security hole. --Joey

This lets the site administrator have a .htaccess file in their underlay directory, say, then get it copied over when the wiki is built. Without this, installations that are located at the root of a domain don't get the benefit of .htaccess such as improved directory listings, IP blocking, URL rewriting, authorisation, etc.

I'm concerned about security ramifications of this patch. While ikiwiki won't allow editing such a .htaccess file in the web interface, it would be possible for a user who has svn commit access to the wiki to use it to add a .htaccess file that does $EVIL.

Perhaps this should be something that is configurable via the setup file instead. --Joey

See


Hi, I would like to have my htaccess files in svn repository so ikiwiki would export that file to my webspace with every commit.

That way I have revision control on that file too. That may be a security concern, but I trust everybody that has svn commit access and such .htaccess files should not be accessible through wiki cgi. Of course, it could default to 'off'.

See Debian bug #447267 for a patch for this.

It looks to me as though this functionality won't be included in ikiwiki unless someone who wants it takes responsibility for updating the patch from that Debian bug to be applicable to current versions, so that there's a setup file parameter for extra filenames to allow, defaulting to none (i.e. a less simplistic patch than the one at the top of this page). Joey, is this an accurate summary? --smcv


bump! I would like to see some form of this functionality included in ikiwiki. I use a patched version, but its a bit of a PITA to constantly apply it (and to forget sometimes!). I know that security concern is important to consider, but I use ikiwiki with a very small group of people collaborating so svn/web access is under control and htaccess is for limiting access to some areas of wiki.
It should be off by default of course. --Max


+1 I want .htaccess so I can rewrite some old Wordpress URLs to make feeds work again. --hendry

Unless you cannot modify apache's configuration, you do not need htaccess to do that. Apache's documentation recommends against using htaccess unless you're a user who cannot modify the main server configuration. --Joey


+1 for various purposes (but sometimes the filename isn't .htaccess, so please make it configurable) --schmonz

I've described a workaround for one use case at the rsync discussion page. --schmonz


done, you can use the include setting to override the default excludes now. Please use extreme caution when doing so. --Joey