archive/oddmuse
2
0
Fork 0
forked from github/kensanata.oddmuse
Code Pull Requests Activity

WikiConfigFile and WikiModuleDir ENV variables

Browse Source 
Currently the config file and modules are supposed to be in $DataDir,
which does make any sense from security point of view. Files with code
should not be in directories that are writable by www-data.

Previously you had to use a wrapper script to work around that. Now we
provide special variables.

Please note that oddmuse will sometimes cache data by using Storable.
Such cache is saved to the disk and then read back when required. This,
however, is an insecure operation given that there is a risk that the
file will be manipulated from www-data in a malicious way.
This commit is contained in:
Alex Schroeder
2015-10-06 04:53:21 +03:00
parent 0904f168d1
commit d17cdb43b0
1 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
wiki.pl
View File

@@ -31,7 +31,7 @@
package OddMuse;
use strict;
use utf8; # in case anybody ever addes UTF8 characters to the source
use utf8; # in case anybody ever adds UTF8 characters to the source
use CGI qw/-utf8/;
use CGI::Carp qw(fatalsToBrowser);
use File::Glob ':glob';
@@ -39,9 +39,8 @@ use sigtrap 'handler' => \&HandleSignals, 'normal-signals', 'error-signals';
local $| = 1; # Do not buffer output (localized for mod_perl)
# Options:
our ($ScriptName, $FullUrl, $ModuleDir, $PageDir, $TempDir, $LockDir, $KeepDir, $RssDir,
$ConfigFile, $RcFile, $RcOldFile, $IndexFile, $NoEditFile, $VisitorFile, $DeleteFile,
$RssLicense,
our ($ScriptName, $FullUrl, $PageDir, $TempDir, $LockDir, $KeepDir, $RssDir,
$RcFile, $RcOldFile, $IndexFile, $NoEditFile, $VisitorFile, $DeleteFile, $RssLicense,
$FreeLinkPattern, $LinkPattern, $FreeInterLinkPattern, $InterLinkPattern,
$UrlPattern, $FullUrlPattern, $InterSitePattern,
$UrlProtocols, $ImageExtensions, $LastUpdate,
@@ -64,9 +63,15 @@ our $UseConfig //= 1;
# Main wiki directory
our $DataDir;
$DataDir = $ENV{WikiDataDir} if $UseConfig and not $DataDir;
$DataDir ||= '/tmp/oddmuse'; # FIXME: /var/opt/oddmuse/wiki ?
our $ConfigPage ||= ''; # config page
$DataDir ||= $ENV{WikiDataDir} if $UseConfig;
$DataDir ||= '/tmp/oddmuse'; # FIXME: /var/opt/oddmuse/wiki ?
our $ConfigFile;
$ConfigFile ||= $ENV{WikiConfigFile} if $UseConfig;
our $ModuleDir;
$ModuleDir ||= $ENV{WikiModuleDir} if $UseConfig;
our $ConfigPage ||= '';
# 1 = Run script as CGI instead of loading as module
our $RunCGI //= 1;