{{tag>en en:linux en:server en:web en:wiki}}
====== Dokuwiki Security ======

This page gives details how to secure the private sections of [[en:linux:Dokuwiki]].

:!: Last update for version 2011-05-25a.

===== Create a private section =====
To secure some privation information, it is possible to restrict the acces to pages of folders easily using ACL :
  * Create the page and/or the folder
  * When the page is displayed, click Admin
  * Select "Access Control List Management"
  * Add the rule :
    * Select the page or folder
    * select Group "ALL"
    * select "None"
    * Click Save

This rule disable the access to the folder/page, including search and last changes.

Then you can add some limited access to specific user or groups.

Please note that the super admin has always the full access to all pages.

:!: To make the index reflect the ACL rules, you need to select the general option "sneaky_index"


===== Secure the root =====
Error messages are differents between unauthorized access and page not found, so everybody can find if a page exist.

If a namespace is hidden, to hide it completely, you need to deny the access to the root "*" then authorize public pages and namespaces manually.

For example :
^ page     ^ group  ^ rights  ^
| *        | @ALL   | None    |
| start    | @ALL   | Read    |
| sidebar  | @ALL   | Read    |
| linux:*  | @ALL   | Read    |
| en:*     | @ALL   | Read    |

===== How to completely hide unauthorized pages  =====
ACLs allow to limit the access to pages, but do not hide them completely.\\
This section discuss about security issues I found when using private areas, solutions are also provided. 

Issues are reported on the dokuwiki bug tracker here : http://bugs.dokuwiki.org/index.php?do=details&task_id=970

==== Demo ====
Demonstration of the issues with a simple wiki :
  * the "start" page has 3 links to 3 pages
  * "valid" is an existing and authorized page
  * "hidden" is an existing but unauthorized page
  * there is no page called "empty" and "empty" is also unauthorized by the ACL
  * the ACL are set to deny all except "start" and "valid"
  * "useheading" is on

Please find the screenshots :

{{:linux:dokuwiki:doku_secu_1_1.png|}}

{{:linux:dokuwiki:doku_secu_1_2.png|}}

{{:linux:dokuwiki:doku_secu_1_3.png|}}

{{:linux:dokuwiki:doku_secu_1_4.png|}}

The detail of the issues :
  * Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled.
  * The breadcrumb store visited pages only if they exist.
  * When a page has a link to other pages, they can indicate if the page exists.\\
    Moreover, if useheasing is on, the title of the page is also displayed.

:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\
To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.

Patch: {{:linux:dokuwiki:dokuwiki_2011-05-25_secu1.patch|}}
<code>
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki_2011-05-25_secu1.patch
patching file common.php
patching file parser/xhtml.php
:/opt/dokuwiki/inc#
</code>


==== Patched Demo ====
Once dokuwiki is patched, the demo wiki looks like that :

{{:linux:dokuwiki:doku_secu_2_1.png|}}

{{:linux:dokuwiki:doku_secu_2_2.png|}}


==== Patchs for previous versions ====
=== 2008-05-05 ===
Patch for version 2008-05-05: {{linux:dokuwiki:doku_hide-2008-05-05.patch}}

<code>
wiki:/opt/wiki# patch -p 1 < /root/doku_hide.patch
patching file inc/common.php
patching file inc/parser/xhtml.php
patching file inc/parserutils.php
patching file inc/template.php
wiki:/opt/wiki#
</code>


=== 2009-02-14 ===
Patch for version 2009-02-14: {{linux:dokuwiki:dokuwiki-2009-02-14_security.patch}}

<code>
wiki:/opt/wiki/inc# patch -p 1 < /root/doku_hide.patch
patching file common.php
patching file parser/xhtml.php
patching file parserutils.php
patching file template.php
wiki:/opt/wiki/inc#
</code>

=== 2010-11-07 ===
Patches for version 2010-11-07.
== Displaying the title of hidden pages ==
Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled.

Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu1.patch|}}
<code>
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu1.patch
patching file parserutils.php
:/opt/dokuwiki/inc#
</code>


== The style used inside youarehere indicate if the page exists ==
It is possible to identify if the page exist by looking at the style used inside "youarehere" (this text is used as the upper left title of my template).

Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu2.patch|}}
<code>
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu2.patch
patching file template.php
:/opt/dokuwiki/inc#
</code>

== The breadcrumb indicate if the page exists ==
The breadcrumb store visited pages only if they exist.

Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu3.patch|}}
<code>
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu3.patch
patching file common.php
:/opt/dokuwiki/inc#
</code>

== The links inside the content show if the page exists and its title ==
When a page has a link to other pages, they can indicate if the page exists.\\
Moreover, if useheasing is on, the title of the page is also displayed.

Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu4.patch|}}
<code>
:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu4.patch
patching file parser/xhtml.php
:/opt/dokuwiki/inc#
</code>

:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\
To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.