X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/cfdba3c70815bed12e106a2f749624040a9aa27d..20ab3bd8e4a4190dc19aa348c237fc3feef42322:/doc/security.mdwn diff --git a/doc/security.mdwn b/doc/security.mdwn index 830cd415b..c51cd5b95 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -57,16 +57,16 @@ So it's best if only one person can ever directly write to those directories. ## setup files -Setup files are not safe to keep in subversion with the rest of the wiki. -Just don't do it. [[ikiwiki.setup]] is *not* used as the setup file for -this wiki, BTW. +Setup files are not safe to keep in the same revision control repository +with the rest of the wiki. Just don't do it. [[ikiwiki.setup]] is *not* +used as the setup file for this wiki, BTW. ## page locking can be bypassed via direct commits A locked page can only be edited on the web by an admin, but anyone who is allowed to commit directly to the repository can bypass this. This is by design, although a pre-commit hook could be used to prevent editing of -locked pages when using subversion, if you really need to. +locked pages, if you really need to. ## web server attacks @@ -341,7 +341,7 @@ There are at least two configurations where this is exploitable: notice. This security hole was discovered on 26 November 2007 and fixed the same -da with the release of ikiwiki 2.14. I recommend upgrading to this version +day with the release of ikiwiki 2.14. I recommend upgrading to this version if your wiki can be committed to by third parties. Alternatively, don't use a trailing slash in the srcdir, and avoid the (unusual) configurations that allow the security hole to be exploited.