Revision [17329]

This is an old revision of RelocatingWikka made by JavaWoman on 2007-08-04 16:32:28.

 

Relocating or Sharing a Wikka installation


A bit of history

From the Wikka archeology department.

From the earliest point in its history, WakkaWiki Wakka version 0.1 (dated 2002-09-04, going by the README signed by Hendrik Mans), WakkaWiki Wakka has supported a mechanism to locate its configuration file somewhere else than in the installation directory. That mechanism was to look for an environment variable called WAKKA_CONFIG, using the PHP call getenv(). If that variable is set and the file it points to exists, that is loaded as the configuration file, otherwise the default location in the installation directory is used.

I have not been able (yet?) to trace any documentation of why this was done, but my guess would be it was intended to be able to store the configuration file outside the webroot for security reasons: the configuration includes all data necessary to access the database the wiki uses, which is a security risk.

From the earliest incarnation of its successor WikkaWiki Wikka (version 1.0.0) right through version 1.1.6.2, that mechanism has remained in place. Unfortunately, getenv() itself constitutes a security risk, as pointed out by several Wikka users on this site and on one of the mailing lists. Not sure who got there first, but a likely candidate is DotMG, who's original post on WikkaBugs now lives on as #98: GetEnv is not a good idea. In effect, we had an insecure method to enhance security...

Meanwhile I was looking at security aspects for several areas of Wikka, and came up with a possible solution for a secure configuration in WikkaSecureConfig Securing the configuration, its first incarnation dated 2004-12-16. My primary concern was the presence of such sensitive data as database access parameters in the installation directory, but I did refer to the security risk posed by using getenv(). The last edit on that page was 2005-05-29... nothing much came of it, it seems. Until several people independently discovered that getenv() itself was a security risk, and started mentioning it to us here and there.

Security: getting rid of GetEnv() first

A preliminary solution
(stub)

Getting back to relocating files

A more structured approach.
(stub)

What this can do for you

A few example use cases.
(stub)

 

CategoryDevelopmentArchitecture CategoryDevelopmentSecurity
There is one comment on this page. [Display comment]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki