You are here: Foswiki>Tasks Web>Item10552 (30 Mar 2011, GeorgeClark)Edit Attach

Item10552: why are we not supplying a rewrite rule to secure all pub access except System web

pencil
Priority: Urgent
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: ApacheConfigGenerator
Branches:
Reported By: SvenDowideit
Waiting For:
Last Change By: GeorgeClark
It'd secure the attachments and still provide a fast path access to the skin files..

urgent cos its silly that we don't smile

(its an apachecfgeratororter issue really)

-- SvenDowideit - 28 Mar 2011

Indeed, secure attachments should be default.

There are some other webs or paths that users might want to exclude from the redirect, e.g. pub/Applications and pub/images. In any case users tend to keep static files in a different subdirectory like this users should have an idea why their foswiki got slow suddenly. So there should be a configurable list of webs - defaulting to System only - to exclude from the redirect.

Note also that bin/viewfile should get an Expire header like normal .../pub/... files for browser-side caching of static files no matter how they were served.

-- MichaelDaum - 28 Mar 2011

huh - ApacheConfigGenerator does include optional protection for pub, and has an exception for System:
In some installations it is important to protect attached files with the same access controls that are applied to the owning topic. If this option is selected, the configuration will include some rewrite rules that redirect web access to attachments to the bin/viewfile script.

* Note that this option can have a significant impact on performance. * Also, this option is incompatible with ImageGalleryPlugin as it writes to /pub/images which is not a valid web name. * Viewfile sets the mime type based upon file name suffix. Unknown types are served as text/plain which can result in corrupt files. * This option will also add some rewrite rules that bypass viewfile for certain graphics files - review the comments in the configuration carefully!

Do you want apply Foswiki access controls to attachments by redirecting access to the viewfile script? Check to control attachment access: (optional)

And the generated config:

#
#  Protect attachments by rewriting to the "viewfile" script
#

#  Permit some safe exceptions to avoid viewfile overhead
#  Any gif/jpg/ico in /pub, and any files in /pub/System or any WebPreferences:
#  pass through unmodified
RewriteCond  %{REQUEST_URI} ^/+foswiki/pub/[^/]+\.(gif|jpe?g|ico)$  [NC,OR]
RewriteCond  %{REQUEST_URI} ^/+foswiki/pub/System/(.*)$  [OR]
RewriteCond  %{REQUEST_URI} ^/+foswiki/pub/([^/]+/)+WebPreferences/([^/]+)$
RewriteRule  ^/+foswiki/pub/.* - [L,PT]

-- GeorgeClark - 29 Mar 2011

Opened Enhancement task Item10576 to support etags and expires headers with viewfile. Closing this as no action required.

-- GeorgeClark - 30 Mar 2011
 

ItemTemplate edit

Summary why are we not supplying a rewrite rule to secure all pub access except System web
ReportedBy SvenDowideit
Codebase trunk
SVN Range
AppliesTo Engine
Component ApacheConfigGenerator
Priority Urgent
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
Topic revision: r4 - 30 Mar 2011, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy