Professional Documents
Culture Documents
#
# -=[ Dokuwiki Front-End ]=-
#
# Note on files specified:
# /doku.php: shows pages, saves, edits, admin
# /lib/exe/ajax.php: autosave, uploads
#
# Allow pages to be edited, and ajax to save drafts.
#
# ARGS 'wikitext', 'suffix', and 'prefix' must allow the same things,
# as the page (in part or whole) is passed via 'suffix/prefix' at times.
# attack-protocol (921110-921160/920230): Allows odd characters on the page.
# CRS: (still need attack-protocol specified.)
# attack-injection-php (930000-933999): Allows code on page.
# attack-sqli (940000-942999): Allows SQL expressions on page.
#
# Others:
# 930100-930110;REQUEST_BODY: if there's a /../ in the text.
#
# ARGS:summary (the text in the 'summary' box on page edits.):
# Allowing 930120-930130 lets user save summaries with
# system file names. This should not be needed in normal
# use. But leaving a note here of how to allow in rule below:
# ctl:ruleRemoveTargetById=930120;ARGS:summary
# ctl:ruleRemoveTargetById=930130;ARGS:summary
#
# Also, can't specify:
# SecRule ARGS:do "@streq edit" \
# SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
# because at times the do=edit can get dropped, so if we use
# above the edit will get blocked when the page is saved.
# Allow it to upload files. But check for cookies just to make sure.
#
# [ Login form ]
#
#
# [ Admin Area ]
#
# Skip this section for performance unless do=admin is in request
# [ Reset password ]
#
# Turn off checks for pass1, pass1-text, pass2
# [ Save config ]
#
# Allow the config to be saved:
# 942200: If the user adds "..." to tagline: ARGS:config[tagline]
# 942430: if ARGS:config[hidepages] has pages looking like sql statements
# 942430,942440: "--- //[[@MAIL@|@NAME@]] @DATE@//"]" in ARGS:config[signature]
SecMarker "END-DOKUWIKI-ADMIN"
SecMarker "END-DOKUWIKI"