From d17cdb43b0e6dccdc79239e9ebde56bc8e92dbce Mon Sep 17 00:00:00 2001 From: Alex Schroeder Date: Tue, 6 Oct 2015 04:53:21 +0300 Subject: [PATCH] WikiConfigFile and WikiModuleDir ENV variables Currently the config file and modules are supposed to be in $DataDir, which does make any sense from security point of view. Files with code should not be in directories that are writable by www-data. Previously you had to use a wrapper script to work around that. Now we provide special variables. Please note that oddmuse will sometimes cache data by using Storable. Such cache is saved to the disk and then read back when required. This, however, is an insecure operation given that there is a risk that the file will be manipulated from www-data in a malicious way. --- wiki.pl | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/wiki.pl b/wiki.pl index 8c688028..d20eb844 100755 --- a/wiki.pl +++ b/wiki.pl @@ -31,7 +31,7 @@ package OddMuse; use strict; -use utf8; # in case anybody ever addes UTF8 characters to the source +use utf8; # in case anybody ever adds UTF8 characters to the source use CGI qw/-utf8/; use CGI::Carp qw(fatalsToBrowser); use File::Glob ':glob'; @@ -39,9 +39,8 @@ use sigtrap 'handler' => \&HandleSignals, 'normal-signals', 'error-signals'; local $| = 1; # Do not buffer output (localized for mod_perl) # Options: -our ($ScriptName, $FullUrl, $ModuleDir, $PageDir, $TempDir, $LockDir, $KeepDir, $RssDir, - $ConfigFile, $RcFile, $RcOldFile, $IndexFile, $NoEditFile, $VisitorFile, $DeleteFile, - $RssLicense, +our ($ScriptName, $FullUrl, $PageDir, $TempDir, $LockDir, $KeepDir, $RssDir, + $RcFile, $RcOldFile, $IndexFile, $NoEditFile, $VisitorFile, $DeleteFile, $RssLicense, $FreeLinkPattern, $LinkPattern, $FreeInterLinkPattern, $InterLinkPattern, $UrlPattern, $FullUrlPattern, $InterSitePattern, $UrlProtocols, $ImageExtensions, $LastUpdate, @@ -64,9 +63,15 @@ our $UseConfig //= 1; # Main wiki directory our $DataDir; -$DataDir = $ENV{WikiDataDir} if $UseConfig and not $DataDir; -$DataDir ||= '/tmp/oddmuse'; # FIXME: /var/opt/oddmuse/wiki ? -our $ConfigPage ||= ''; # config page +$DataDir ||= $ENV{WikiDataDir} if $UseConfig; +$DataDir ||= '/tmp/oddmuse'; # FIXME: /var/opt/oddmuse/wiki ? + +our $ConfigFile; +$ConfigFile ||= $ENV{WikiConfigFile} if $UseConfig; +our $ModuleDir; +$ModuleDir ||= $ENV{WikiModuleDir} if $UseConfig; + +our $ConfigPage ||= ''; # 1 = Run script as CGI instead of loading as module our $RunCGI //= 1;