Differences

This shows you the differences between two versions of the page.

--- security [2022-09-01 20:08] – [Reporting and Notifications] andi
+++ security [2024-02-13 09:17] (current) – undo 178.197.202.230
@@ Line 18: / Line 18: @@
 The first two ways should be preferred except for very serious bugs where making the bug public before a patch is available could endanger DokuWiki installations world wide.
-Previous security issues can be seen in the [[https://github.com/splitbrain/dokuwiki/issues?q=label%3ASecurity+|bugtracking system]].
+Previous security issues can be seen in the [[https://github.com/dokuwiki/dokuwiki/issues?q=label%3ASecurity+|bugtracking system]].
 Depending on the severity of a found security issue it will be fixed in a future release (on very minor issues) or a bugfix release will be made. In the latter case users will be informed through the [[update check]] mechanism.
@@ Line 164: / Line 164: @@
 ==== Deny Directory Access in Lighttpd ====
-Using a [[[[https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModRewrite||URL re-write]] you can deny access to the above directories. In your /etc/lighttpd/lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out. It supposes your Dokuwiki files are installed under http://yourwebsite.tld/dokuwiki/.
+Using a [[https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModRewrite||URL re-write]] you can deny access to the above directories. In your /etc/lighttpd/lighttpd.conf file adding the following URL rewrite rule should be sufficient to keep people out. It supposes your Dokuwiki files are installed under http://yourwebsite.tld/dokuwiki/.
   url.rewrite-once = ( "^/dokuwiki/(data|conf|bin|inc|vendor)/+." => "/nonexistentfolder" )
 Don't forget to uncomment or add “mod_rewrite” in the server.modules section of /etc/lighttpd/lighttpd.conf. It should look like this:
@@ Line 186: / Line 186: @@
 Access to aforementioned directories can be disabled in DokuWiki server section of Nginx configuration file.
 In your host configuration file (for example, /etc/nginx/sites-available/default) or nginx.conf file add the following location to prevent access to secure directories.
+:!: Make sure that the rule is processed before other rules that control access to certain files.((See this [[https://forum.dokuwiki.org/d/21122-security-warning-persists/9|forum thread]] and [[https://stackoverflow.com/questions/76369813/why-are-my-jpg-and-png-files-accessible-despite-nginx-access-restriction|stackoverflow]]))
 <code>
@@ Line 305: / Line 307: @@
   * If you can, review the plugin source code yourself, //before// installing it.
   * If in doubt, ask on the [[mailinglist|mailing list]].
-  * Plugins are installed under the DokuWiki ''lib'' directory, which is directly accessible from the outside. Review what a plugin contains and lock down access with .htaccess files as appropriate.
+  * Plugins are installed under the DokuWiki ''lib'' directory, which is directly accessible from the outside. Review what a plugin contains and if access is appropriate, plugins shouldn't store sensitive info in their own directory.
   * Plugins are authored by developers not directly related to the DokuWiki project - they may be inexperienced, have malicious intent or may host the plugin source code on a server that has been compromised. Be careful whom you trust!
   * Review the plugin page for mentioned security warnings and upgrade the plugin when new releases become available.
+  * If in doubt, let plugins be reviewed by a professional first. See [[faq:support]].
 See also: [[devel:security#reporting_security_issues|How to report security issues in plugins]]