Blame
Date:
Wed Dec 7 05:00:19 2022
UTC
Message:
Daily backup
08
2021-12-17
targets=PmWiki.SecurityVariables,PmWiki.PasswordsAdmin,PmWiki.AuthUser,PmWiki.Functions,PmWiki.AvailableActions,PmWiki.EditVariables,PmWiki.UploadVariables,PmWiki.Security,PmWiki.PagelistVariables
09
2021-12-17
text=(:Summary:variables crucial for site security:)%0a:$AllowPassword: This variable contains the special "nopass" password which was used in the past to leave pages or groups accessible without a password. Recent PmWiki versions use "@nopass" instead. If your wiki is old and/or may contain pages with the "nopass" password, you should not change it. If that variable is empty or set to false, PmWiki will not check if pages have a special "allowed password".%0a%0a:$DefaultPasswords: Specifies default passwords for user admin or actions (edit, read, upload). See [[PmWiki/PasswordsAdmin#settingsitewidepasswords]].%0a%0a:$DenyHtaccessContent: Specifies the default content for @@.htaccess@@ files created by PmWiki in new directories under wiki.d. The Apache server [[https://httpd.apache.org/docs/2.4/upgrading.html#run-time|changed these directives in version 2.4]]. The default value should work for both new and older server versions.%0a%0a:$EnablePostAttrClearSession: A switch to control whether or not changing a page's attributes causes any existing passwords to be forgotten. The default is that changing attributes forgets any passwords entered; this can be changed by setting $EnablePostAttrClearSession to zero.%0a%0a:$EnableSessionPasswords: Control whether passwords are saved as part of the session. If set to zero, then session passwords are never saved (although any [[AuthUser]] authentications are still remembered).%0a%0a:$SetCookieFunction:A custom function name to send cookies to the browser, instead of @@[[Functions#pmsetcookie|pmsetcookie()]]@@. Should accept the same arguments as @@pmsetcookie()@@.%0a%0a:$EnableCookieSecure:Set to 1 to enable the "[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie|Secure]]" flag for core PmWiki cookies (will only be transmitted via HTTPS). This includes author, preference, and cache core cookies and any custom cookies set via [[Functions#pmsetcookie|pmsetcookie()]].\\%0aNote: for the session cookie, you need to also add this line: [@ @ini_set('session.cookie_secure', true); @]\\%0aAdd these lines near the beginning of config.php.%0a%0a:$EnableCookieHTTPOnly:Set to 1 to enable the "[[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie|HttpOnly]]" flag for core PmWiki cookies (will not be made available to JavaScript). This includes author, preference, and cache core cookies and any custom cookies set via [[Functions#pmsetcookie|pmsetcookie()]].\\%0aNote: for the session cookie, you need to also add this line: [@ @ini_set('session.cookie_httponly', true); @]\\%0aAdd these lines near the beginning of config.php.%0a%0a:$SessionEncode: Function to use to encode sensitive information in sessions. Set this to NULL if you want to not use any encoding. (See also $SessionDecode below.)%0a%0a:$SessionDecode: Function to reverse the decoding given by $SessionEncode above. Set this to NULL if sensitive session values are not encoded.%0a%0a:$HandleAuth:This sets the required authentication Level that is necessary to perform an [[PmWiki/AvailableActions|action]]. When using the following example in your @@config.php@@ you need to be authenticated as editor in order to view the page history:%0a $HandleAuth['diff'] = 'edit';%0a%0a:$PageAttributes:Set the string shown on the attributes page when entering a password for an action.%0a%0a:$AuthLDAPBindDN:For sites using [[AuthUser]] with LDAP authentication, this specifies the distinguished name (DN) to be used to bind to the LDAP server to check identity.%0a%0a:$AuthLDAPBindPassword:For [[AuthUser]] with LDAP authentication, this specifies the password used for binding (in conjunction with $AuthLDAPBindDN above).%0a%0a:$AuthLDAPReferrals:Specifies whether to automatically follow referrals returned by the LDAP server, set 1 to enable or 0 to disable. By default this variable is unset, and the connection follows referrals if they are enabled on the server side (they usually are).%0a%0a:$EnablePublishAttr:Adds a new "publish" authorization level to distinguish editing of drafts from publishing - See $EnableDrafts.%0a%0a:$EnablePageVarAuth: In PmWiki versions 2.2.22 and 2.2.23 this variable should be set to 0. In 2.2.24 it will no longer be used.%0a%0a:$RobotActions: An array controlling which [[AvailableActions|actions]] can be reached by web bots. The array keys are the actions, if the value is 1 or true then the action is reachable. If an action is not defined as a key, or if the value for that key evaluates to false or zero, when a bot requests this action it will be refused. By default, only the actions "browse", "rss" and "dc" are reachable by bots. For example:\\%0a@@$RobotActions['download'] = 1; @@ # '''allow''' bots to download files with disabled $EnableDirectDownload (page permissions are respected)\\%0a@@$RobotActions['rss'] = 0; @@ # '''disallow''' bots from getting the RSS feed\\%0a@@$RobotActions['print'] = 1; @@ # allow bots to get the print view\\%0aThe variable can have custom actions used by cookbook recipes as keys.%0a%0a:$RobotPattern: A regular expression pattern with known user-agent strings for bots. %0a%0a:$EnableRobotCloakActions: Setting this flag to 1 will eliminate any forbidden ?action= values from page links returned to robots, which will reduce bandwidth loads from robots even further.%0a%0a%0aSee also:%0a* [[Security]]%0a* $EnablePageListProtect%0a* $EnableDirectDownload%0a