On 20/09/10 16:53, [email protected] wrote:
> I'm trying to implement the security improvement of moving as many
> includes and behind-the-scenes support files as I can into a
> non-web-accessible directory as suggested at
> http://www.mediawiki.org/wiki/Manual:Security#Alternate_file_layout
> however success is fleeting. The problem is that the web page's
> view seems myopic, that all you need to do is change your
> include_path and all will work out. This is not the case in my
> experience: index.php calls files at specific locations, that means
> you need to hard code new locations in that file; the files that
> index.php call, like WebStart.php, do things like "$IP=getenv(
> 'MV_INSTALL_PATH' );" which fetches the original install path of
> the wiki (where everything else is stored which is exactly what I
> don't want in this situation) and tries to ap ply it to more
> includes files... and this goes on and on.
The easiest way to do it would be to set the document root to an empty
or non-existent directory, and then use Alias directives in the apache
configuration to expose only the scripts and directories that need to
be web-accessible.
Alternatively you can write a set of loader scripts which look like this:
<?php
chdir('/path/to/wiki');
require('./index.php');
?>
WebStart.php uses the current directory as a base. It's certainly not
enough to set include_path, indeed it's probably not helpful at all.
-- Tim Starling
_______________________________________________
MediaWiki-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
