Manual talk:Security

Question - I've been playing around with starting a Wiki with Wikimedia, but I'm only moderately knowledgable in these matters; furthermore, the site is managed through a hosted server, so I don't know if I have any say over Apache settings. Can some of this be rendered a little more applicable for similar situations? And can it also be made a little more dummy-friendly? Thanks.


 * Yeah it would be useful to keep this page applicable to users using shared/virtual hosting environments. These may not support huge wikis, but would be suitable for some small group collaborations.  And perhaps some of the repitition from this page could be removed. -- SimonEast 05:34, 4 Aug 2004 (UTC)

javascript attacks
You may wish to serve HTML pages as plaintext to prevent cookie-stealing JavaScript attacks.

Huh. Won't this break a lot of things? Or does this apply only to the upload directory (as the code might suggest)? And doesn't Microsoft's browser treat URLs ending in .htm as web pages anyway? An example of the attack might clarify what is going on here. --Nealmcb 02:50, 26 Jul 2004 (UTC)

User accounts
It would be nice to have some indication on how to disable user account creation or at least to prevent people from doing so from outside of a certain domain. For now it seems that all this security stuff is useless and that there is a big Hack here written on the accounts creation page.

--Osyluth 04:39, 2 Aug 2004 (UTC)

Alternative to suggested security settings
This is just a comment, these settings are not yet confirmed to be secure!

The security documentation suggest two things: for the upload directory, turn of php with the php_admin_flag engine off. However, this turns off php for the whole site (tested on Apache2, PHP 4.3 and Windows 2000). An alternative might be

RemoveType .php

Second, setting the MIME-type to text/plain for .html files will not prevent Internet Explorer 4 and upwards from displaying the file as html, because the browser will override serverprovided MIME-types if it can determine the MIME-type by analysing the file.

Allowed filetypes for upload??
I'd like to modify my wiki so that users can upload a variety of document formats such as PDF, DOC, XLS and the like and have them displayed as icons inline in the text. I tried manually putting a .ppt file in the /images directory, then creating a link that looked like


 * [[media:myfile.ppt|My Power Point]]

but the URL came out looking like


 * http://mywiki.tld/wiki/images/3/3b/myfile.ppt

When I tried the Special:Upload page, it gave me a "Warning" that .ppt was not a recommended file format. Evidently the recommendation was final, as I was never able to complete the upload.

So I guess my question is, how do I add alternative upload filetypes to the list of allowed ones? Also, what's the logic behind the directory structure for a media: link? It seems to have arbitrarily created the /3/3b directory structure, though I doubt it's as arbitrary as it seems.


 * You can add the line "$wgStrictFileExtensions = false;" in your LocalSettings.php to allow overriding of the warning. --H. J. Hill 14:23, 1 Feb 2005 (UTC)


 * Just a guess, but the 3/3b/ extension is probably to avoid having too many files in one folder, as that causes some other utilities to not work quite right in e.g. Linux once a certain number of files is reached. Just another guess, your file might have been named '3bwhatever.ppt', which is where the /3/3b/ came from?

Updated upload directory
The new name for the mediawiki upload directory is "/images", isn't it? I corrected the examples to reflect this name, I thought that was less confusing. If people know this was the correct thing to do, please delete this notice. Thanks. Chira 06:44, 28 Oct 2004 (UTC)

Issues related to the MediaWiki scripts
This section contains


 * Earlier versions of MediaWiki included a bug that potentially allows logged- in users to delete arbitrary files in directories writable by the web server user by manually feeding false form data; this is now fixed.

but that doesn't give me any idea if I use a "earlier" or "later" version? To paraphrase: in which version was that fixed? --H. J. Hill 14:23, 1 Feb 2005 (UTC)

Repeated text
The text mentions and gives examples of securing the upload directory three times: First under "General Security Considerations" as , then under "Issues related to the Apache httpd web server" as  and finally under "Securing the upload directory" as  again. Only one of these recommends AllowOverride None.

text/plain?
The configuration fragment for the upload directory shows text/plain for .html, .html, etc etc. While I certainly agree that script execution should be *off* for that directory, I'm not convinced that text/plain is ever the right type for those files, barring perhaps .php. --64.180.165.76 20:12, 10 Feb 2005 (UTC)