[Mediawiki-l] Uploaded File Access Security

[Jack D. Pond]

The upcoming 1.10 and lockdown extensions have many great security features,
but unless I've missed something they don't extend to uploaded files.   I'd
like to create an environment where access to uploaded files can be
restricted by namespace.
 
In the default MediaWiki, all files uploaded can be accessed if the URL is
known by the default Internet User on all platforms.  The concept I'm
working with is to allow access only through PHP and then use the
restrictions available through lockdown and 1.10.  Thus the files could be
accessed using the [media:] and [image:] (with MW protections), but an
attempt to access directly via URL would result in a 401 error.
 
Before I launch down this path, has anyone tried this or some other approach
and is there somewhere I could look for advice?  If not, in the esteemed
opinion of you, the listserv members, is it advisable to open an article for
discussion and if so, where (mediawiki.org?).
 
BTW, saw this on the PHP site - http://us3.php.net/features.safe-mode,
Warning: Safe Mode was removed in PHP 6.0.0.   Don't want to go down a path
that's going to be obsolete with release 6.0.0
 
I'm deeply grateful for the authors and of MediaWiki and the participants in
this listserv. So please don't let this provoke rants about using a
different tool - I'm willing to make the investment (if possible) and
contribute the results back for general use.
 
Jack D. Pond
CIO, Montgomery County, PA
 
"Excellent firms don't believe in excellence, only in constant improvement
and constant change." -- Tom Peters (b. 1942)