This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests are now tracked at the
issue tracker at Github
FS#680 File system disclosure on plugin page
Going to any plugin page directly discloses details about the underlying file structure of dokuwiki.
EG, try going to
An attacker may use this information to launch further directed attacks
Error reporting should be turned off on production servers anyway.
An update to the .htaccess file (or an additional .htaccess file in lib/plugins) would solve this for Apache servers.
Another (maybe better) idea would be to replace the if(!defined(DOKU_INC)... initialization for all includes and plugins and replacing it with
if(!defined('DOKU_INC')) die("Do not run this on it's own");
A possible problem may arise with plugins that need to be called on it's own for AJAX calls like the Search Manager plugin. Solutions welcome.
If (!defined(DOKU_INC)) has been added to the plugins included in DokuWiki and the sample sources in the plugin tutorial have been updated.
I presume plugins that can be called on their own won't generate PHP errors and warnings.
If this solution is going to be "best practice" for plugins, I think after a notification of it is sent to the mailing list the bug can be closed.