IRC log of #dokuwiki @ irc.freenode.net

For Thursday, 9 September 2010

  1. quit
    alice|wl (~helo@wl-1-pt.tunnel.tserv6.fra1.ipv6.he.net) has quit (Ping timeout: 272 seconds)
  2. join
    alice|wl (~helo@wl-1-pt.tunnel.tserv6.fra1.ipv6.he.net) entered the channel
  3. quit
    MeaCulpa (~MeaCulpa@221.239.217.21) has quit (Quit: http://ucarenya.com/)
  4. quit
    Mister_X] (~Mister_X@73.78-240-81.adsl-dyn.isp.belgacom.be) has quit (Ping timeout: 258 seconds)
  5. join
    Mister_X] (~Mister_X@143.223-247-81.adsl-dyn.isp.belgacom.be) entered the channel
  6. quit
    carandraug (~carandrau@proxy4.library.nuigalway.ie) has quit (Quit: Ex-Chat)
  7. quit
    chomwitt (~chomwitt@ppp-94-66-128-244.home.otenet.gr) has quit (Quit: Lost terminal)
  8. quit
    prc33 (~pete@unaffiliated/prc33) has quit (Quit: Leaving.)
  9. quit
    fafanet (c8c39542@gateway/web/freenode/ip.200.195.149.66) has quit (Ping timeout: 252 seconds)
  10. quit
    RyanChile (~luis@200.11.76.174) has quit (Remote host closed the connection)
  11. join
    RyanChile (~luis@200.11.76.174) entered the channel
  12. join
    pierrickuk (~pierrick@beijing.asianux.net) entered the channel
  13. part
    pierrickuk (~pierrick@beijing.asianux.net) has left the channel ()
  14. quit
    RyanChile (~luis@200.11.76.174) has quit (Quit: Leaving.)
  15. quit
    Chris--S (~Chris--S@87-194-159-222.bethere.co.uk) has quit (Quit: Chris--S)
  16. join
    LongBeach (~mike@AFontenayssB-152-1-17-33.w82-121.abo.wanadoo.fr) entered the channel
  17. join
    gammaproduction (~gammaprod@f052098245.adsl.alicedsl.de) entered the channel
  18. quit
    gammaproduction (~gammaprod@f052098245.adsl.alicedsl.de) has quit (Quit: Leaving.)
  19. join
    gammaproduction (~Adium@fw.inetsoftware.de) entered the channel
  20. join
    adrianlang (~adrian@wikimedia/codeispoetry) entered the channel
  21. quit
    LongBeach (~mike@AFontenayssB-152-1-17-33.w82-121.abo.wanadoo.fr) has quit (Ping timeout: 272 seconds)
  22. quit
    sandbags (~sandbags@unaffiliated/rubymatt) has quit (Excess Flood)
  23. join
    sandbags (~sandbags@208-78-96-201.slicehost.net) entered the channel
  24. quit
    sandbags (~sandbags@208-78-96-201.slicehost.net) has quit (Changing host)
  25. join
    sandbags (~sandbags@unaffiliated/rubymatt) entered the channel
  26. join
    lolmaus (~lolmaus@178.236.241.96) entered the channel
  27. join
    prc33 (~pete@unaffiliated/prc33) entered the channel
  28. quit
    sandbags (~sandbags@unaffiliated/rubymatt) has quit (Excess Flood)
  29. join
    sandbags (~sandbags@208-78-96-201.slicehost.net) entered the channel
  30. quit
    sandbags (~sandbags@208-78-96-201.slicehost.net) has quit (Changing host)
  31. join
    sandbags (~sandbags@unaffiliated/rubymatt) entered the channel
  32. quit
    gammaproduction (~Adium@fw.inetsoftware.de) has quit (Read error: No route to host)
  33. join
    gammaproduction (~Adium@fw.inetsoftware.de) entered the channel
  34. join
    Chris--S (~Chris--S@87-194-159-222.bethere.co.uk) entered the channel
  35. quit
    sandbags (~sandbags@unaffiliated/rubymatt) has quit (Excess Flood)
  36. join
    sandbags (~sandbags@208-78-96-201.slicehost.net) entered the channel
  37. quit
    sandbags (~sandbags@208-78-96-201.slicehost.net) has quit (Changing host)
  38. join
    sandbags (~sandbags@unaffiliated/rubymatt) entered the channel
  39. part
    sandbags (~sandbags@unaffiliated/rubymatt) has left the channel ()
  40. join
    einhirn (~Miranda@bsod.rz.tu-clausthal.de) entered the channel
  41. quit
    MadSir (~MadSir@116.236.175.230) has quit (Read error: Connection reset by peer)
  42. quit
    prc33 (~pete@unaffiliated/prc33) has quit (Quit: Leaving.)
  43. join
    prc33 (~pete@unaffiliated/prc33) entered the channel
  44. join
    carandraug (~carandrau@proxy3.library.nuigalway.ie) entered the channel
  45. join
    amee2k (~thomas@ve504.cugnet.net) entered the channel
  46. message at
    amee2k
    morning everyone
  47. message at
    amee2k
    :)
  48. message at
    amee2k
    why do i get an error "E-Mail address <user@localhost> is not valid" when changing a user's email address to the one in the message?
  49. message at
    amee2k
    (i assume the "Notification email could not be sent" message following right after that is a consequence of the message above)
  50. join
    splitbrain (~andi@pdpc/supporter/active/splitbrain) entered the channel
  51. message at
    splitbrain
    hi
  52. message at
    splitbrain
    Chris--S, could I get your thoughts on FS#2020 ?
  53. message at
    Chris--S
    is that number right
  54. message at
    Chris--S
    i'm redirected to bugs home
  55. message at
    adrianlang
    Chris--S: http://bugs.splitbrain.org/index.php?do=details&task_id=2020 works
  56. message at
    adrianlang
    hm, nope
  57. message at
    Chris--S
    i see now. I get a permission error
  58. message at
    Chris--S
    I'm not allowed to view that bug
  59. message at
    splitbrain
    are you logged in?
  60. message at
    Chris--S
    yes
  61. message at
    splitbrain
    I set the bug to private
  62. message at
    splitbrain
    hmm
  63. message at
    splitbrain
    okay
  64. message at
    splitbrain
    let me change that
  65. message at
    splitbrain
    okay try again
  66. message at
    Chris--S
    i tried it
  67. message at
    Chris--S
    i don't have a file test.php
  68. message at
    splitbrain
    ?
  69. message at
    adrianlang
    Chris--S: But test.php.meta?
  70. message at
    Chris--S
    yes
  71. message at
    Chris--S
    test.php.changes test.php.txt
  72. message at
    adrianlang
    Chris--S: That's the problem.
  73. message at
    splitbrain
    the real problem is Multiviews I think
  74. message at
    Chris--S
    multiviews
  75. message at
    Chris--S
    yes
  76. message at
    adrianlang
    "Apache will threat files named filename.php.something as php files and execute them."
  77. message at
    Chris--S
    it won't unless you are runnning multiviews
  78. message at
    adrianlang
    Yeah, so?
  79. message at
    adrianlang
    Multiviews is quite common.
  80. message at
    splitbrain
    unfortunately multiviews seems to be default on many distributions
  81. message at
    Chris--S
    i've turned on multiviews and I'm running mod_negotiation
  82. message at
    Chris--S
    still not seeing anything
  83. message at
    Chris--S
    i think it has to recognise the final extension too
  84. message at
    Chris--S
    the page will run ... ie. test.php.txt
  85. message at
    Chris--S
    configuration of a webserver and dokuwiki is something the wiki admin has to do. we can't take into account all possible configurations
  86. message at
    adrianlang
    Chris--S: That's ignorant. We have so many crap fixes for shit ppl do on their servers or clients.
  87. message at
    Chris--S
    possibly we should add Options -Multiviews into .htaccess, but if they're running .htaccess the Order/Allow/Deny will take care of it
  88. message at
    adrianlang
    Anyways, it could be possible that someone cannot run DokuWiki securely on a hosting service due to this problem.
  89. message at
    splitbrain
    adrianlang, what's your suggestion?
  90. message at
    adrianlang
    Actually, even my Server config defaults to Multiviews and no htaccess.
  91. message at
    Chris--S
    two I can think of, ban ".php" and any other standard executable extension from filenames (at least as a default config option), encode filenames on disk
  92. message at
    adrianlang
    And by "defaults to" I mean: That's the current config I am using.
  93. message at
    Chris--S
    presumably if your server runs mod_ruby, test.rb would exhibit the same problem
  94. message at
    adrianlang
    Disabling MultiViews didnt work for me
  95. message at
    adrianlang
    <Directory /var/www/wiki/>
  96. message at
    adrianlang
    Options -MultiViews
  97. message at
    adrianlang
    [rewrite stuff]
  98. message at
    adrianlang
    </Directory>
  99. message at
    adrianlang
    Didnt work
  100. message at
    Chris--S
    we could try our own variation on address layout randomization
  101. message at
    Chris--S
    pages-{randomnumber}
  102. message at
    adrianlang
    We could reverse the page name
  103. message at
    Chris--S
    meta-{randomnumber}
  104. message at
    adrianlang
    Ah, doesnt work with php
  105. message at
    Chris--S
    adrianlang, do you mean meta.test.php
  106. message at
    Chris--S
    or php.tset.meta
  107. message at
    adrianlang
    Na, every single character
  108. message at
    adrianlang
    Like that
  109. message at
    Chris--S
    then I can create a page called php.tset
  110. message at
    adrianlang
    Forget it
  111. message at
    adrianlang
    Exactly
  112. quit
    carandraug (~carandrau@proxy3.library.nuigalway.ie) has quit (Quit: Ex-Chat)
  113. message at
    Chris--S
    {randomnumber} into the directory tree
  114. message at
    Chris--S
    but not media portion - where it would be visible and its purpose would have been defeated
  115. message at
    adrianlang
    Mh
  116. message at
    adrianlang
    Hashing the file name?
  117. message at
    Chris--S
    one of dokuwiki's plus's is you can read the files on the disk
  118. message at
    Chris--S
    pluses
  119. message at
    adrianlang
    Definitely
  120. message at
    Chris--S
    hashing the name would reduce that as you wouldn't know which file to look at
  121. message at
    adrianlang
    Spam-Blacklisting '<?' in files with .php in the name when .htaccess is not available? :)
  122. join
    carandraug (~carandrau@proxy3.library.nuigalway.ie) entered the channel
  123. message at
    Chris--S
    we could encode the "."
  124. message at
    Chris--S
    test%2ephp
  125. message at
    Chris--S
    adrianlang, its not just php
  126. message at
    adrianlang
    Chris--S: Yeah, I know
  127. message at
    Chris--S
    the possibility extends to any executable, do they all use <?
  128. message at
    adrianlang
    But ppl who have another interpreters running probably are able to change their config
  129. message at
    adrianlang
    Not that I know how to fix the config right now …
  130. message at
    Chris--S
    alot of the big hosting services offer all sorts of languages these days as part of default package
  131. message at
    Chris--S
    certainly php, ruby, perl
  132. message at
    Chris--S
    python too
  133. message at
    adrianlang
    Ok
  134. message at
    adrianlang
    So changing the file name is probably our only chance
  135. message at
    Chris--S
    i think random number and/or encoding '.'
  136. message at
    adrianlang
    http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext
  137. message at
    Chris--S
    or always stick a .txt on the end
  138. message at
    adrianlang
    "If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, then do not use the Add* directives."
  139. message at
    Chris--S
    test.php.meta.txt
  140. message at
    Chris--S
    however for me test.php.meta wasn't the problem, test.php.txt was
  141. message at
    adrianlang
    For me its the other way round
  142. message at
    adrianlang
    .txt is no problem, .meta gives phpinfo
  143. message at
    adrianlang
    Fuck
  144. message at
    adrianlang
    really
  145. message at
    Chris--S
    i like adding a installation chosen random number in the directory tree
  146. message at
    adrianlang
    Hm-m
  147. message at
    Chris--S
    it should require access to the server to discover and if they have access to the server, you have a much bigger problem
  148. message at
    splitbrain
    so you can't guess the path?
  149. message at
    Chris--S
    yes
  150. message at
    adrianlang
    Still, it gives PHP execution rights as www-data to anyone allowed to read the wiki dir
  151. message at
    splitbrain
    hmm
  152. message at
    adrianlang
    Anyways, changing the data directory is a config option
  153. message at
    splitbrain
    also it would have to be a big number,otherwise I can just try them all
  154. message at
    Chris--S
    but its discoverable through media
  155. message at
    adrianlang
    So how about checking whether htaccess works (maybe in the installer), and if not, adding the random number?
  156. message at
    Chris--S
    8 or 10 * 62 characters should be pretty good
  157. message at
    Chris--S
    thats about 2.2 e14
  158. message at
    adrianlang
    Chris--S: It is? (Discoverable)
  159. message at
    splitbrain
    so we'd rename the data dir?
  160. message at
    splitbrain
    or put a subdirectory inside data?
  161. message at
    Chris--S
    adrianlang, actually I'm not sure, that's a gues
  162. message at
    Chris--S
    guess
  163. message at
    Chris--S
    splitbrain, it depends on the media access ... does the client browser ever see the file path from doc root to the media file
  164. message at
    splitbrain
    and set $conf['savedir'] = 'data/randomstring';?
  165. message at
    splitbrain
    no
  166. message at
    Chris--S
    ok. then your solution should be ok
  167. message at
    splitbrain
    media is not acessible from the outside
  168. message at
    adrianlang
    Jep
  169. message at
    splitbrain
    reliable htaccess checking is only possible through js
  170. message at
    Chris--S
    could probably do through meta redirects
  171. message at
    splitbrain
    so the installer would need to try accessing the data dir and fill in a "random prefix" field via JS
  172. message at
    splitbrain
    hm how?
  173. message at
    Chris--S
    actually probably a bad idea
  174. message at
    adrianlang
    splitbrain: How about loading an background image with the warning text through something protected?
  175. message at
    Chris--S
    you'd get stuck
  176. message at
    splitbrain
    adrianlang, good idea
  177. message at
    splitbrain
    to display a warning
  178. message at
    splitbrain
    problem with the prefix:
  179. message at
    splitbrain
    our install tarball has the whole data/* structure
  180. message at
    adrianlang
    Yes
  181. message at
    splitbrain
    it's all ugly
  182. message at
    Chris--S
    but its possible to program around
  183. message at
    adrianlang
    Dead ugly
  184. message at
    splitbrain
    I still vote for do checks but leave resolution to user
  185. message at
    adrianlang
    but moving should be possible
  186. message at
    adrianlang
    splitbrain: And how to resolve?
  187. message at
    splitbrain
    adrianlang, as a user?
  188. message at
    adrianlang
    As someone not having access to the server config
  189. message at
    splitbrain
    a) move savedir out of webroot b) rename data to something cryptic and set $conf['savedir']
  190. message at
    adrianlang
    Ok, that's right
  191. message at
    splitbrain
    b) needs to be documented at :security
  192. message at
    Chris--S
    adding a move step is pretty straightforward.
  193. message at
    splitbrain
    Chris--S, not if the permissions don't fit
  194. message at
    Chris--S
    don't we always have write access inside data?
  195. message at
    splitbrain
    no only to data/*
  196. message at
    splitbrain
    at least that's waht we check AFAIR
  197. message at
    adrianlang
    <Directory /var/www/wiki/>
  198. message at
    adrianlang
    Options -MultiViews
  199. message at
    adrianlang
    AllowOverride Limit
  200. message at
    adrianlang
    [rewrite stuff]
  201. message at
    adrianlang
    </Directory>
  202. message at
    adrianlang
    works
  203. message at
    Chris--S
    we do check that data is writable
  204. message at
    splitbrain
    okay
  205. message at
    splitbrain
    but
  206. message at
    splitbrain
    for checking the subdirectories we'd need the random bit. but that random bit isn't set in the installer, yet
  207. message at
    adrianlang
    Dominik proposed to use a "russian dot" instead of the ascii dot
  208. message at
    Chris--S
    will that be valid on all file systems?
  209. message at
    adrianlang
    Another proposal from him, slightly related: Instead of prohibiting single accesses, allowing only index.php, doku.php, feed.php, lib
  210. message at
    splitbrain
    the latter is not in our hands
  211. message at
    splitbrain
    the former is problematic with filesystems. also brekas existing installs
  212. message at
    splitbrain
    *breaks
  213. message at
    adrianlang
    splitbrain: Well, in my case it would have saved my ass, because I actually //used// the default .htaccess, I only copied it over to the static configs.
  214. message at
    splitbrain
    adrianlang, I see
  215. message at
    Chris--S
    adrianlang, I don't understand your last but one comment
  216. message at
    splitbrain
    Chris--S, it's not really a solution
  217. message at
    splitbrain
    it's just that he modelled his vserver setup after our default htaccess
  218. message at
    adrianlang
    It's only a solution for a very specific case
  219. message at
    splitbrain
    adrianlang, you would have been save when the main .htaccess would also have included the other .htaccess setups eg. denying access to data
  220. message at
    adrianlang
    Yes
  221. message at
    splitbrain
    but that's a fuckup on your side setting up the server ;-)
  222. message at
    splitbrain
    (and not reading :security)
  223. message at
    adrianlang
    Well, I didn't know that granting people right rights on /data would inflict php exec right
  224. message at
    adrianlang
    *read rights, that is
  225. message at
    splitbrain
    adrianlang, well it also grants access to all your pages (regardless of ACL) and access to your cookie security file
  226. message at
    adrianlang
    Jup
  227. message at
    splitbrain
    anyway. what's our decision?
  228. message at
    adrianlang
    Prominent warnings + suggestions seems ok
  229. message at
    splitbrain
    I'll look into adding the background image thingy you suggested to the installer
  230. message at
    adrianlang
    We should write a good documentation
  231. message at
    Chris--S
    and create a feature request for adding capability to installer to handle moving data directory when possible and at users direction
  232. message at
    adrianlang
    Which would be cool anyway
  233. message at
    Chris--S
    ideally if it could move it below docroot
  234. message at
    adrianlang
    http://www.dokuwiki.org/doku.php?do=check
  235. message at
    adrianlang
    Why did it fail to check?
  236. message at
    adrianlang
    Because there is no URL to the data dir at all?
  237. message at
    splitbrain
    it probably get's a 200 but not the content it is looking for
  238. message at
    splitbrain
    because I have lighty rewriting
  239. message at
    splitbrain
    okay the image based check in installer is pushed
  240. message at
    splitbrain
    should I replace the javascript one in the admin screen with this one instead?
  241. join
    MeaCulpa (~MeaCulpa@221.239.217.21) entered the channel
  242. message at
    adrianlang
    The image version is probably even faster
  243. message at
    adrianlang
    And if we already have the image, why not use it
  244. message at
    splitbrain
    okay
  245. message at
    splitbrain
    done
  246. join
    odyssomay (~odyssomay@c-ed86e155.443-1-64736c11.cust.bredbandsbolaget.se) entered the channel
  247. quit
    MeaCulpa (~MeaCulpa@221.239.217.21) has quit (Read error: Connection reset by peer)
  248. join
    MeaCulpa (~MeaCulpa@221.239.217.21) entered the channel
  249. quit
    gammaproduction (~Adium@fw.inetsoftware.de) has quit (Quit: Leaving.)
  250. join
    bipo (~bipo@85-124-200-139.static.xdsl-line.inode.at) entered the channel
  251. quit
    odyssomay (~odyssomay@c-ed86e155.443-1-64736c11.cust.bredbandsbolaget.se) has quit (Quit: Leaving)
  252. quit
    adrianlang (~adrian@wikimedia/codeispoetry) has quit (Quit: Leaving.)
  253. join
    sjm (~sjm@rivendell/users/sjm) entered the channel
  254. join
    lupo49 (~lupo49@pD9E9F9DB.dip.t-dialin.net) entered the channel
  255. nick
    amee2k is now known as amee2k_
  256. join
    gammaproduction (~gammaprod@f052098245.adsl.alicedsl.de) entered the channel
  257. nick
    amee2k_ is now known as amee2k
  258. join
    u42p (~u42p@d144101.adsl.hansenet.de) entered the channel
  259. message at
    u42p
    can i control what users are allowed to embed html?
  260. quit
    u42p (~u42p@d144101.adsl.hansenet.de) has quit (Read error: Connection reset by peer)
  261. quit
    markuman (~markuman@pD9E1BD7C.dip.t-dialin.net) has quit (Ping timeout: 240 seconds)
  262. join
    markuman (~markuman@pD9E1BC21.dip.t-dialin.net) entered the channel
  263. join
    markuman_ (~markuman@pD9E1BC21.dip.t-dialin.net) entered the channel
  264. quit
    markuman (~markuman@pD9E1BC21.dip.t-dialin.net) has quit (Ping timeout: 255 seconds)
  265. quit
    markuman_ (~markuman@pD9E1BC21.dip.t-dialin.net) has quit (Quit: leaving)
  266. join
    markuman (~markuman@pD9E1BC21.dip.t-dialin.net) entered the channel
  267. quit
    einhirn (~Miranda@bsod.rz.tu-clausthal.de) has quit (Quit: Miranda IM! Smaller, Faster, Easier. http://miranda-im.org)
  268. join
    Suraia (~suraia@f054070146.adsl.alicedsl.de) entered the channel
  269. join
    LongBeach (~mike@AFontenayssB-152-1-17-33.w82-121.abo.wanadoo.fr) entered the channel
  270. quit
    gammaproduction (~gammaprod@f052098245.adsl.alicedsl.de) has quit (Quit: Leaving.)
  271. quit
    markuman (~markuman@pD9E1BC21.dip.t-dialin.net) has quit (Quit: leaving)
  272. quit
    splitbrain (~andi@pdpc/supporter/active/splitbrain) has quit (Quit: Ex-Chat)
  273. join
    markuman (~markuman@pD9E1BC21.dip.t-dialin.net) entered the channel
  274. join
    markinfo (~marek@dhcp09.algebra.tuwien.ac.at) entered the channel
  275. quit
    bipo (~bipo@85-124-200-139.static.xdsl-line.inode.at) has quit (Remote host closed the connection)
  276. quit
    lupo49 (~lupo49@pD9E9F9DB.dip.t-dialin.net) has quit (Quit: .)
  277. quit
    LongBeach (~mike@AFontenayssB-152-1-17-33.w82-121.abo.wanadoo.fr) has quit (Ping timeout: 260 seconds)
  278. quit
    datadigger (~digidigge@knuyt.demon.nl) has quit (Remote host closed the connection)
  279. join
    datadigger (~digidigge@knuyt.demon.nl) entered the channel
  280. quit
    markinfo (~marek@dhcp09.algebra.tuwien.ac.at) has quit (Remote host closed the connection)
  281. quit
    Suraia (~suraia@f054070146.adsl.alicedsl.de) has quit (Quit: Suraia)