From 823ec815d4fc9625d6fa3553ad03e9f2ff737659 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Sun, 14 Mar 2010 14:58:13 -0400
Subject: [PATCH] Add a include setting, which can be used to make ikiwiki
 process wiki source files, such as .htaccess, that would normally be skipped
 for security or other reasons. Closes: #447267 (Thanks to Aaron Wilson for
 the original patch.)

---
 IkiWiki.pm                          | 13 +++++++++++++
 debian/changelog                    |  4 ++++
 doc/tips/htaccess_file.mdwn         | 30 +++++++++++++++++++++++++++++
 doc/todo/enable-htaccess-files.mdwn |  5 +++++
 doc/usage.mdwn                      |  6 ++++++
 ikiwiki.in                          |  3 +++
 6 files changed, 61 insertions(+)
 create mode 100644 doc/tips/htaccess_file.mdwn

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 251ed8cc8..ee94ce659 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -334,6 +334,15 @@ sub getsetup () {
 		safe => 0, # paranoia
 		rebuild => 0,
 	},
+	include => {
+		type => "string",
+		default => undef,
+		example => '^\.htaccess$',
+		description => "regexp of normally ignored source files to include",
+		advanced => 1,
+		safe => 0, # regexp
+		rebuild => 1,
+	},
 	exclude => {
 		type => "string",
 		default => undef,
@@ -1820,6 +1829,10 @@ sub file_pruned ($;$) {
 		$file =~ s#^\Q$base\E/+##;
 	}
 
+	if (defined $config{include} && length $config{include}) {
+		return 0 if $file =~ m/$config{include}/;
+	}
+
 	my $regexp='('.join('|', @{$config{wiki_file_prune_regexps}}).')';
 	return $file =~ m/$regexp/;
 }
diff --git a/debian/changelog b/debian/changelog
index 92afe661f..e5347e2a1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,10 @@ ikiwiki (3.20100313) UNRELEASED; urgency=low
     as used by yahoo and google urls.
   * Add complete German basewiki and directives translation done by
     Sebastian Kuhnert.
+  * Add a include setting, which can be used to make ikiwiki process
+    wiki source files, such as .htaccess, that would normally be skipped
+    for security or other reasons. Closes: #447267
+    (Thanks to Aaron Wilson for the original patch.)
 
  -- Joey Hess <joeyh@debian.org>  Sat, 13 Mar 2010 14:48:10 -0500
 
diff --git a/doc/tips/htaccess_file.mdwn b/doc/tips/htaccess_file.mdwn
new file mode 100644
index 000000000..5266eba41
--- /dev/null
+++ b/doc/tips/htaccess_file.mdwn
@@ -0,0 +1,30 @@
+If you try to include a `.htaccess` file in your wiki's source, in order to
+configure the web server, you'll find that ikiwiki excludes it from
+processing. In fact, ikiwiki excludes any file starting with a dot, as well
+as a lot of other files, for good security reasons.
+
+You can tell ikiwiki not to exclude the .htaccess file by adding this to
+your setup file:
+
+	include => '^\.htaccess$',
+
+Caution! Before you do that, please think for a minute about who can edit
+your wiki. Are attachment uploads enabled? Can users commit changes
+directly to the version control system? Do you trust everyone who can
+make a change to not do Bad Things with the htaccess file? Do you trust
+everyone who *might* be able to make a change in the future? Note that a
+determined attacker who can write to the htaccess file can probably get a
+shell on your web server.
+
+If any of these questions have given you pause, I suggest you find a
+different way to configure the web server. One way is to not put the
+`.htaccess` file under ikiwiki's control, and just manually install it
+in the destdir.
+
+[Apache's documentation](http://httpd.apache.org/docs/1.3/howto/htaccess.html)
+says
+> In general, you should never use .htaccess files unless you don't have
+> access to the main server configuration file.
+This is good advice -- if you can edit apache's main configuration files,
+then you should not use a htaccess file.
+--[[Joey]]
diff --git a/doc/todo/enable-htaccess-files.mdwn b/doc/todo/enable-htaccess-files.mdwn
index 412cb5eba..c895db75d 100644
--- a/doc/todo/enable-htaccess-files.mdwn
+++ b/doc/todo/enable-htaccess-files.mdwn
@@ -61,3 +61,8 @@ It should be off by default of course. --Max
 +1 for various purposes (but sometimes the filename isn't `.htaccess`, so please make it configurable) --[[schmonz]]
 
 > I've described a workaround for one use case at the [[plugins/rsync]] [[plugins/rsync/discussion]] page. --[[schmonz]]
+
+---
+
+[[done]], you can use the `include` setting to override the default
+excludes now. Please use extreme caution when doing so. --[[Joey]] 
diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index a105d7e59..f735170f0 100644
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -234,6 +234,12 @@ also be configured using a setup file.
   Specifies a rexexp of source files to exclude from processing.
   May be specified multiple times to add to exclude list.
 
+* --include regexp
+
+  Specifies a rexexp of source files, that would normally be excluded,
+  but that you wish to include in processing.
+  May be specified multiple times to add to include list.
+
 * --adminuser name
 
   Specifies a username of a user (or, if openid is enabled, an openid) 
diff --git a/ikiwiki.in b/ikiwiki.in
index ae1251ff6..da5555629 100755
--- a/ikiwiki.in
+++ b/ikiwiki.in
@@ -65,6 +65,9 @@ sub getconfig () {
 			"exclude=s@" => sub {
 				push @{$config{wiki_file_prune_regexps}}, $_[1];
 			},
+			"include=s@" => sub {
+				$config{include}=defined $config{include} && length $config{include} ? "$config{include}|$_[1]" : $_[1];
+			},
 			"adminuser=s@" => sub {
 				push @{$config{adminuser}}, $_[1]
 			},
-- 
2.32.0.93.g670b81a890