On 20/09/10 16:53, tojja(a)Safe-mail.net wrote:
I'm trying to implement the security improvement
of moving as many
includes and behind-the-scenes support files as I can into a
non-web-accessible directory as suggested at
http://www.mediawiki.org/wiki/Manual:Security#Alternate_file_layout
however success is fleeting. The problem is that the web page's
view seems myopic, that all you need to do is change your
include_path and all will work out. This is not the case in my
experience: index.php calls files at specific locations, that means
you need to hard code new locations in that file; the files that
index.php call, like WebStart.php, do things like "$IP=getenv(
'MV_INSTALL_PATH' );" which fetches the original install path of
the wiki (where everything else is stored which is exactly what I
don't want in this situation) and tries to ap ply it to more
includes files... and this goes on and on.
The easiest way to do it would be to set the document root to an empty
or non-existent directory, and then use Alias directives in the apache
configuration to expose only the scripts and directories that need to
be web-accessible.
Alternatively you can write a set of loader scripts which look like this:
<?php
chdir('/path/to/wiki');
require('./index.php');
?>
WebStart.php uses the current directory as a base. It's certainly not
enough to set include_path, indeed it's probably not helpful at all.
-- Tim Starling