[Mediawiki-l] Upload security

Jack D. Pond jack.pond at psitex.com
Sun Apr 22 22:15:01 UTC 2007 

Eric,

There are multiple answers to you question depending on what you're trying
to do.

If you are trying to restrict access so that uploaded files cannot be
accessed in any way except through MediaWiki, you may want to read:

http://www.mediawiki.org/wiki/Manual:Image_Authorisation

If you just want to create a non-executable directory that is not part of
the web root, look up:

$wgUploadPath
$wgUploadDirectory

You may also want to take a look at:

$wgFileExtensions - do not allow server executables such as php, asp, pl,
etc.
$wgEnableUploads = false;  # disallow uploads altogether

$wgGroupPermissions['*']['upload'] = false; # Disallow anonymous users
uploads
$wgGroupPermissions['*']['reupload'] = false;
$wgGroupPermissions['*']['reupload-shared'] = false;
$wgGroupPermissions['*']['minoredit'] = false;

# Disallow logged in users access, until you approve their ability to upload
$wgGroupPermissions['user']['upload'] = false;
$wgGroupPermissions['user']['reupload'] = false;
$wgGroupPermissions['user']['reupload-shared'] = false;

# Allow only approved accounts to upload
$wgGroupPermissions['approved']['upload'] = true;
$wgGroupPermissions['approved']['reupload'] = true;
$wgGroupPermissions['approved']['reupload-shared'] = true;



Jack D. Pond
 
"The devil has put a penalty on all things we enjoy in life. Either we
suffer in health or we suffer in soul or we get fat." -- Albert Einstein.
1879-1955
-----Original Message-----
From: mediawiki-l-bounces at lists.wikimedia.org
[mailto:mediawiki-l-bounces at lists.wikimedia.org] On Behalf Of Eric K
Sent: Sunday, April 22, 2007 4:07 PM
To: MW
Subject: [Mediawiki-l] Upload security

  I still want to make the system as safe as possible so that a hacker can
never upload anything malicious and run it. Our server was compromised but
that was through someone who was using an unsafe CMS. 
   
  Is there anything like, setting the Uploads directory to a directory that
is outside the WWW root, so even if a hacker uploads a scipt, he cant run it
using the browser, because its not accessible?
   
  And also I guess we should set the permissions of that directory to be
non-executable, but writebable by all?

       
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
 Check outnew cars at Yahoo! Autos.
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

More information about the MediaWiki-l mailing list