Configuration


Config parameters for WackoWiki R5.5


Default values are set in the config.default.php file in the config/ folder.


Primary

generated by installer


config/config.php

<?php
 
$wacko_config = array(
    'base_url' => 'http://localhost//wacko/',
    'database_charset' => 'latin1',
    'database_collation' => '0',
    'database_driver' => 'mysql_pdo',
    'database_engine' => 'InnoDB',
    'database_host' => 'localhost',
    'database_port' => '3306',
    'database_database' => 'wiki',
    'database_user' => 'root',
    'database_password' => '',
    'table_prefix' => 'wacko_',
    'system_seed' => 'c-&P[(13N#Nj62l*mYE4',
    'recovery_password' => '',
    'cache_dir' => '_cache/',
    'class_path' => 'class',
    'action_path' => 'action',
    'handler_path' => 'handler',
    'theme_path' => 'theme',
    'formatter_path' => 'formatter',
    'upload_path' => 'files/global',
    'upload_path_per_page' => 'files/perpage',
    'upload_path_backup' => 'files/backup',
    'wacko_version' => '5.5.0',
);
 
?>


Secondary

stored in config table


Changes in the secondary config can be done via 

  1. editing config_value your [prefix_]config table via phpMyAdmin.
    • Don't forget to delete the _cache/config/config.php afterwards, e.g. {{admincache}}
  2. the new Admin panel
    • for that you must define the recovery_password in the config file first, then call yourwiki/admin.php

no  config_name value default
1 abuse_email
2 admin_email l@o.cal
3 admin_name WikiAdmin
4 allow_rawhtml 1
5 allow_registration 1
6 allow_swfobject 0
7 allow_themes 0
8 allow_x11colors 0
9 antidupe 0
10 cache 1
11 cache_sql 0
12 cache_sql_ttl 600
13 cache_ttl 600
14 captcha_edit_page 1
15 captcha_new_comment 1
16 captcha_new_page 1
17 captcha_registration 1
18 comments_count 10
19 cookie_prefix wacko_
20 cookie_session 30
21 date_format d.m.Y
22 date_macro_format d.m.Y H:i
23 date_precise_format d.m.Y H:i:s
24 debug 3
25 debug_admin_only 0
26 debug_sql_threshold 0
27 default_comment_acl $
28 default_create_acl $
29 default_read_acl *
30 default_rename_redirect 1
31 default_typografica 1
108 default_upload_acl Admins
32 default_write_acl $
33 disable_autosubscribe 0
34 disable_bracketslinks 0
35 disable_formatters 0
36 disable_npjlinks 0
37 disable_safehtml 0
38 disable_tikilinks 0
39 disable_wikilinks 0
40 edit_summary 0
41 footer_comments 1
42 footer_files 1
43 forum_cluster Forum
44 forum_topics 10
45 hide_comments 0
46 hide_files 0
47 hide_index 0
48 hide_locked 1
49 hide_rating 1
50 hide_toc 0
51 keep_deleted_time 0
52 language en
53 log_default_show 1
54 log_min_level 0
55 log_purge_time 0
56 lower_index 0
103 maint_last_cache 1278434412
106 maint_last_delpages NULL
104 maint_last_log NULL
107 maint_last_oldpages NULL
105 maint_last_refs 1278353937
57 meta_description
58 meta_keywords
59 minor_edit 0
60 multilanguage 1
61 name_date_macro %s (%s)
62 news_cluster News
63 news_levels /.+/.+/.+
64 outlook_workaround 1
65 owners_can_change_categories 1
66 owners_can_remove_comments 1
67 pages_purge_time 0
68 paragrafica 1
69 policy_page
70 pwd_char_classes 0
71 pwd_min_chars 8
72 pwd_unlike_login 1
73 referrers_purge_time 1
74 remove_onlyadmins 0
75 rename_globalacl Admins
76
77 rewrite_mode on
78 root_page HomePage
79
80 show_spaces 1
81 spam_filter 1
82 tls 0
83 tls_implicit 0
84 tls_proxy
85 standard_handlers acls|addcomment|categories|claim|diff|edit|latex|m...
86 store_deleted_pages 1
87 strong_cookies 0
88 theme default
89 time_format H:i:s
90 time_format_seconds H:i
91 upload admins
92 upload_banned_exts php|cgi|js|php|php3|php4|php5|pl|ssi|jsp|phtm|phtm...
93 upload_images_only 0
94 upload_max_per_user 100
95 upload_max_size 300
96 upper_index 0
97 urls_underscores 0
98 users_page Users
99 wacko_desc
100 wacko_name MyWackoSite
101 xml_sitemap 0
102 youarehere_text


User Settings

Relation of corresponding user settings to config settings:


guest user remarks
config
user setting

The default values for the user settings are set as DEFAULT value in the table itself.


4. Strict-Transport-Security HTTP Response Header


Instructs the browser to always request a domain using the HTTPS protocol instead of HTTP.

4.1. Why Use HSTS?


  1. Passive Network Attacks – man in the middle attacks, HTTPS stripping attacks.
  2. Active Network Attacks – compromised DNS, evil twin domains, etc.
  3. Mixed Content Vulnerabilities – loading of an insecure resource over a secure request (eg swf)
  4. Performance – removes unnecessary redirects to HTTPS from http.
  5. Because no one types https:// in the address bar.

4.2. HSTS Directives


max-age – number of seconds policy should be kept for.
includeSubDomains – apply this policy to all subdomains of the requested host. Omit to apply policy only to current domain.

4.3. HSTS Examples


Require HTTPS for 60 seconds on current domain:

Strict-Transport-Security: max-age=60

Require HTTPS for 365 days on all subdomains:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Remove HSTS Policy (including subdomains):

Strict-Transport-Security: max-age=0

4.4. How to handle HTTP Requests


Requests Over HTTP (Non Secure)
Should respond with a 301 redirect to the secure url.
Must NOT respond with Strict-Transport-Security header on non-secure HTTP requests.


Requests Over HTTPS

Should always respond with a Strict-Transport-Security header.

4.5. HSTS Browser Support


4.6. HSTS Resources

  1. HSTS Specification: https://tools.ietf.org/html/rfc6797
  2. OWASP: HTTP Strict Transport Security Cheat Sheet

5. X-Frame-Options


Allows the server to specify if the response content should be part of a frame, and if so from what origin.


Note: The frame-ancestors directive from the CSP Level 2 specification officially replaces this non-standard header but is not supported across all browsers. Though X-Frame-Options is not an official standard it is widely supported and can be used in conjunction with CSP.

5.1. Clickjacking


  • AKA UI Redressing
  • Attacker tricks the user into clicking on something that performs an unintended action.

5.2. X-Frame-Options Directives


  • DENY – Specifies that the requested resource should never be embedded in a frame.
  • SAMEORIGIN – Only pages on the same domain may frame the requested resource.
  • ALLOW-FROM origin – Allow a whitelisted origin to frame the requested content.

5.3. X-Frame-Options Resources


  1. http://tools.ietf.org/html/rfc7034
  2. OWASP: Clickjacking Defense Cheat Sheet

6. Content-Security-Policy (CSP)


HTTP Response header, allows server to control how resources are loaded.

6.1. Why Content-Security-Policy?


  • Greatly reduces success of Cross Site Scripting (XSS) attacks.
  • Report / log xss attack attempts

6.2. CSP Directives

CSP can protect against a variety of unauthorized asset types.

  • default-src all assets (including scripts)
  • script-src scripts
  • style-src stylesheets
  • img-src limit origins of images
  • connect-src XHR, WebSockets, EventSource
  • base-uri
  • font-src font files
  • form-action
  • frame-ancestors
  • plugin-types restricts the set of plugins that can be invoked
  • object-src Flash and other plugin objects
  • media-src audio and video
  • child-src nested browsing contexts sources
  • sandbox
  • report-uri

6.3. CSP Source Expressions


Source Value Meaning
* Wildcard, allows all origins.
'self' Allow same origin.
'none' Don't allow any resources of this type to load.
domain.example.com Allow a domain
*.example.com Allow all subdomains on a domain.
https://example.com Scheme specific.
https: Require https.
data: Allow data uri schemes.

6.4. unsafe-inline


  • When script-src or style-src
    are enabled inline style
    or script
    tags are disabled.
    • You can add 'unsafe-inline' to allow it, but defeats much of CSP's purpose.

6.5. unsafe-eval


  • CSP also disables unsafe dynamic code evaluation, such as the JavaScript eval() function.
    • You can add 'unsafe-eval' to a script-src directive to disable this.

6.6. CSP Reports


  • Congure a report-uri to accept CSP exception requests (POST)
  • Be notified of XSS vulnerabilities as they occur
  • Users with CSP-supported browsers make it safer for everybody

Content-Security-Policy: default-src 'self'; report-uri http://example.com/report.php

6.6.1. Report-only headers


  • Content-Security-Policy-Report-Only
  • Notifies you of violations, but won't take action
  • Lets you try CSP risk-free

Specify a report-uri to receive JSON violation reports
Report only: Content-Security-Policy-Report-Only

Content-Security-Policy-Report-Only: default-src 'self'; report-uri http://example.com//report.php

6.7. CSP Browser Support


6.8. CSP Resources



config/constants.php

define('BACKUP_COMPRESSION_RATE',	9);			// gzip compression rate
define('BACKUP_MEMORY_STEP',		1048576);		// max bytes to process per cycle (make sure it's at least 10 times less than PHP memory limit!)
define('BACKUP_FILE_LOG',		'backup.log');		// backup log filename
define('BACKUP_FILE_STRUCTURE',		'structure.sql');	// tables structure filename
define('BACKUP_FILE_DUMP_SUFFIX',	'.dat.gz');		// tables dump filename suffix
define('BACKUP_FILE_GZIP_SUFFIX',	'.gz');			// regular compressed files suffix

define('CACHE_CONFIG_DIR',		'config/');
define('CACHE_FEED_DIR',		'feeds/');
define('CACHE_PAGE_DIR',		'pages/');
define('CACHE_SQL_DIR',			'queries/');

define('GUEST',				'guest@wacko');
define('INTERCOM_MAX_SIZE',		262144);

define('LOAD_NOCACHE',			0);
define('LOAD_CACHE',			1);
define('LOAD_ALL',			0);
define('LOAD_META',			1);

define('MENU_AUTO',			0);
define('MENU_USER',			1);
define('MENU_DEFAULT',			2);

define('RECOVERY_MODE',			0);		// restore database

define('SESSION_HANDLER_ID',		'sid');
define('SESSION_HANDLER_PATH',		null);	// if you are using specific path (instead of system default /tmp) for session variables storing, define it here

define('SQL_NULLDATE',			'0000-00-00 00:00:00');
define('SQL_DATE_FORMAT',		'Y-m-d H:i:s');

define('TRANSLIT_DONTCHANGE',		0);
define('TRANSLIT_LOWERCASE',		1);
define('TRANSLIT_LOAD',			0);
define('TRANSLIT_DONTLOAD',		1);

// do not change this three lines, PLEASE-PLEASE. In fact, don't change anything! Ever!
define('WACKO_VERSION',			'5.5.beta');
define('HTML_ENTITIES_CHARSET',		'ISO-8859-1'); // ISO-8859-1, cp1251
define('XML_HTMLSAX3',			'lib/HTMLSax3/');

define('HTML_FILTERING',		null); // safehtml, htmlpurifier

define('ACTION4DIFF',			'anchor, toc'); //allowed actions in DIFF

define('PHP_MIN_VERSION',		'5.4.0'); //minimum required PHP version

define('PHP_ERROR_REPORTING',		0); // PHP error reporting: 0 - off, 5 - all