Currently, the twiki root is configured as an html doc root in Apache's twiki.conf. For secturity, sub directories need to be excluded explicitly, such as twiki/data. If an admin adds a new subdir (such as when installing an extension) that dir needs to be excluded as well. This is easy to forget.
It is much safer to not
expose the twiki root as html doc. Only twiki/pub needs to be html doc root enabled, and twiki/bin needs to be cgi-bin enabled.
While at it, we should clean up the twiki root dir, and make it easier to install TWiki.
- update twiki.conf
- update installation docs and upgrade doc
- update release notes
- update apache config generator on twiki.org
- replace .html docs in twiki root with .txt version (move to subdir?)
See proposal at TWiki:Codev/DontExposeTWikiRootAsHtmlDocRoot
- 10 Apr 2009
- 26 Oct 2009