Commit eddb051d authored by André Kerkhoff's avatar André Kerkhoff
Browse files

Apache: replace protect_safe_attachments with the configurable unprotected_attachments

parent 73cc2be0
......@@ -5,5 +5,5 @@ DEPENDENCIES
GRAPH
apache2 (5.2.1)
foswiki (2.7.0)
foswiki (2.9.0)
apache2 (< 6.0)
......@@ -11,12 +11,14 @@ default['foswiki']['apache']['http_port'] = 80
default['foswiki']['apache']['https_port'] = 443
default['foswiki']['apache']['log_level'] = 'info ssl:warn'
default['foswiki']['apache']['protect_attachments'] = true
default['foswiki']['apache']['protect_safe_attachments'] = false
default['foswiki']['apache']['pub_expires_match'] = '\.(jpe?g|gif|png|css(\.gz)?|js(\.gz)?|ico)$'
default['foswiki']['apache']['pub_expires_time'] = nil # e.g. "access plus 11 days"
default['foswiki']['apache']['server_admin'] = "webmaster@#{node['fqdn']}"
default['foswiki']['apache']['server_alias'] = []
default['foswiki']['apache']['server_name'] = node['fqdn']
# Regular expressions for attachments which should be ignored when protect_attachments is set
# :default means [^/]+\.(gif|jpe?g|ico)$, System/(.*)$ and ([^/]+/)+WebPreferences/([^/]+)$
default['foswiki']['apache']['unprotected_attachments'] = :default
default['foswiki']['apache']['use_fcgi'] = true
default['foswiki']['apache']['use_short_urls'] = true
default['foswiki']['apache']['use_tls'] = false
......@@ -3,7 +3,7 @@ maintainer 'HPC'
maintainer_email 'hpc@gsi.de'
license 'All rights reserved'
description 'Installs/Configures Foswiki'
version '2.8.0'
version '2.9.0'
depends 'apache2', '< 6.0'
supports 'debian'
supports 'ubuntu'
include_recipe 'apache2'
apache_conf = node['foswiki']['apache']
apache_conf = node['foswiki']['apache'].dup
apache_conf['unprotected_attachments'] = [
'[^/]+\.(gif|jpe?g|ico)$',
'System/(.*)$',
'([^/]+/)+WebPreferences/([^/]+)$',
] if apache_conf['unprotected_attachments'].eql? :default
include_recipe 'apache2::mod_ssl' if apache_conf['use_tls']
include_recipe 'apache2::mod_expires' if apache_conf['pub_expires_time']
......@@ -40,7 +45,6 @@ web_app apache_conf['server_name'] do
locales_dir dirs['locales']
log_level apache_conf['log_level']
protect_attachments apache_conf['protect_attachments']
protect_safe_attachments apache_conf['protect_safe_attachments']
pub_dir dirs['pub']
pub_expires_match apache_conf['pub_expires_match']
pub_expires_time apache_conf['pub_expires_time']
......@@ -53,6 +57,7 @@ web_app apache_conf['server_name'] do
server_name apache_conf['server_name']
template_dir dirs['template']
tools_dir dirs['tools']
unprotected_attachments apache_conf['unprotected_attachments']
use_fcgi apache_conf['use_fcgi']
use_short_urls apache_conf['use_short_urls']
use_tls apache_conf['use_tls']
......
......@@ -98,13 +98,14 @@
# Protect attachments by rewriting to the "viewfile" script
#
<% unless @params[:protect_safe_attachments] -%>
<% unless (@params[:unprotected_attachments] || []).empty? -%>
# Permit some safe exceptions to avoid viewfile overhead
# Any gif/jpg/ico in /pub, and any files in /pub/System or any WebPreferences:
# pass through unmodified
RewriteCond %{REQUEST_URI} ^<%= @params[:pub_url_path] %>/[^/]+\.(gif|jpe?g|ico)$ [NC,OR]
RewriteCond %{REQUEST_URI} ^<%= @params[:pub_url_path] %>/System/(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^<%= @params[:pub_url_path] %>/([^/]+/)+WebPreferences/([^/]+)$
<% @params[:unprotected_attachments][0..-2].each do |attach| -%>
RewriteCond %{REQUEST_URI} ^<%= @params[:pub_url_path] %>/<%= attach %> [NC,OR]
<% end -%>
<% if @params[:unprotected_attachments].length > 1 -%>
RewriteCond %{REQUEST_URI} ^<%= @params[:pub_url_path] %>/<%= @params[:unprotected_attachments][-1] %> [NC]
<% end -%>
RewriteRule ^<%= @params[:pub_url_path] %>/.* - [L,PT]
<% end -%>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment