security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
security [2021-09-29 17:18] – major cleanup andi | security [2024-02-13 09:17] (current) – undo 178.197.202.230 | ||
---|---|---|---|
Line 11: | Line 11: | ||
When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | When you discover a security issue in DokuWiki, please notify us. The preferred ways to do so are: | ||
+ | * Report through [[https:// | ||
* Submit a [[bugs|bug report]] | * Submit a [[bugs|bug report]] | ||
* Send a mail to the [[mailinglist]] | * Send a mail to the [[mailinglist]] | ||
Line 17: | Line 18: | ||
The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide. | ||
- | Previous security issues can be seen in the [[https:// | + | Previous security issues can be seen in the [[https:// |
Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism. | ||
Line 163: | Line 164: | ||
==== Deny Directory Access in Lighttpd ==== | ==== Deny Directory Access in Lighttpd ==== | ||
- | Using a [[[[https:// | + | Using a [[https:// |
url.rewrite-once = ( " | url.rewrite-once = ( " | ||
Don't forget to uncomment or add “mod_rewrite” in the server.modules section of / | Don't forget to uncomment or add “mod_rewrite” in the server.modules section of / | ||
Line 185: | Line 186: | ||
Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file. | ||
- | In your nginx.conf file add the following location to prevent access to secure directories. | + | In your host configuration file (for example, / |
- | //This instruction | + | :!: Make sure that the rule is processed before other rules that control access to certain files.((See this [[https://forum.dokuwiki.org/d/21122-security-warning-persists/9|forum thread]] and [[https://stackoverflow.com/questions/76369813/why-are-my-jpg-and-png-files-accessible-despite-nginx-access-restriction|stackoverflow]])) |
- | //Or in the virtualhost where you are hosting dokuwiki// | + | |
< | < | ||
Line 289: | Line 289: | ||
* [[config: | * [[config: | ||
* all [[auth|authentication settings]] | * all [[auth|authentication settings]] | ||
- | * [[config: | + | * [[config: |
* [[config: | * [[config: | ||
* [[config: | * [[config: | ||
Line 307: | Line 307: | ||
* If you can, review the plugin source code yourself, //before// installing it. | * If you can, review the plugin source code yourself, //before// installing it. | ||
* If in doubt, ask on the [[mailinglist|mailing list]]. | * If in doubt, ask on the [[mailinglist|mailing list]]. | ||
- | * Plugins are installed under the DokuWiki '' | + | * Plugins are installed under the DokuWiki '' |
* Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | * Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, | ||
* Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | * Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available. | ||
+ | * If in doubt, let plugins be reviewed by a professional first. See [[faq: | ||
See also: [[devel: | See also: [[devel: |
security.1632928709.txt.gz · Last modified: 2021-09-29 17:18 by andi