This is an old revision of the document!
This page gives details how to secure the private sections of DokuWiki.
Last update for version 2010-11-07.
To secure some privation information, it is possible to restrict the acces to pages of folders easily using ACL :
This rule disable the access to the folder/page, including search and last changes.
Then you can add some limited access to specific user or groups.
Please note that the super admin has always the full access to all pages.
To make the index reflect the ACL rules, you need to select the general option “sneaky_index”
Error messages are differents between unauthorized access and page not found, so everybody can find if a page exist.
If a namespace is hidden, to hide it completely, you need to deny the access to the root “*” then authorize public pages and namespaces manually.
For example :
page | group | rights |
---|---|---|
* | @ALL | None |
start | @ALL | Read |
sidebar | @ALL | Read |
linux:* | @ALL | Read |
en:* | @ALL | Read |
ACLs allow to limit the access to pages, but do not hide that they exist.
This section discuss about security issues I found when using private areas, solutions are also provided.
Demonstration of the issues with a simple wiki :
Please find the screenshots :
The detail of each issue is described bellow.
Even if the content is bloqued, it is still possible to know his title if “use_heading” is enabled.
Patch : dokuwiki-2010-11-07_secu1.patch
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu1.patch patching file parserutils.php :/opt/dokuwiki/inc#
It is possible to identify if the page exist by looking at the style used inside “youarehere” (this text is used as the upper left title of my template).
Patch : dokuwiki-2010-11-07_secu2.patch
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu2.patch patching file template.php :/opt/dokuwiki/inc#
The breadcrumb store visited pages only if they exist.
Patch : dokuwiki-2010-11-07_secu3.patch
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu3.patch patching file common.php :/opt/dokuwiki/inc#
When a page has a link to other pages, they can indicate if the page exists.
Moreover, if useheasing is on, the title of the page is also displayed.
Patch : dokuwiki-2010-11-07_secu4.patch
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu4.patch patching file parser/xhtml.php :/opt/dokuwiki/inc#
Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.
To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.
Patch for version 2008-05-05: doku_hide-2008-05-05.patch
wiki:/opt/wiki# patch -p 1 < /root/doku_hide.patch patching file inc/common.php patching file inc/parser/xhtml.php patching file inc/parserutils.php patching file inc/template.php wiki:/opt/wiki#
Patch for version 2009-02-14: dokuwiki-2009-02-14_security.patch
wiki:/opt/wiki/inc# patch -p 1 < /root/doku_hide.patch patching file common.php patching file parser/xhtml.php patching file parserutils.php patching file template.php wiki:/opt/wiki/inc#