Introduction
Linux distribution Fedora provides via its repositories a simple to use and highly versatile Open Source wiki software DokuWiki. At least since Fedora 24 until the recent Fedora 28 the provided DokuWiki version is 20150810a. Outdated DokuWiki version brings of course some issues:
- Obviously the outdated version 20150810a does not provide all DokuWiki’s new features and fixes. The current stable recommended DokuWiki version is 20180422a.
- Version 20150810a contains a lot of security issues: CVE-2016-7964 CVE-2016-7965 CVE-2017-12583 CVE-2017-12979 CVE-2017-12980 CVE-2017-18123, so installing the package increases risk of potential system exploit.
- Package configuration does not provide DokuWiki in a working state after the installation, due to missing dependency – vendor library directory:
PHP Fatal error: require_once(): Failed opening required '/usr/share/dokuwiki/vendor/autoload.php' (include_path='.:/usr/share/pear:/usr/share/php') in /usr/share/dokuwiki/inc/init.php on line 194
- Apache configuration file, provided by the package, does not restrict access to DokuWiki’s configuration files. This makes it possible to invoke PHP files from conf directory, but – what’s worse – it also exposes content of non-PHP files. When DokuWiki configuration is saved, it saves copy of modified configuration file to a backup file and this backup can be publicly accessed. This way backup files leak confidential information from the configuration ( like credentials set for authentication plugins and so on ). Additionally also bin directory is unrestricted.
- As it seems that the Fedora’s dokuwiki package is orphaned, there is very low chance of remedy coming from the updates soon.
Update 1:
- DokuWiki package in Fedora has been taken over by a new packager, who merged my pull request with all fixes addressing the issues mentioned in this article. Now you can simply upgrade the dokuwiki package to the latest version from official repositories.
Version Upgrade Information
To address these issues and in an attempt to provide compatible and working Fedora DokuWiki upgrade, I’ve prepared an upgrade package with current stable recommended DokuWiki version 20180422a for Fedora 28. The package has been built and is distributed via the Fedora’s community projects build service (COPR), where it has its dedicated repository: pessoft/dokuwiki. The new package comes from the original Fedora’s dokuwiki package, to make it as compatible as possible. But it also has some additional changes:
- Updates DokuWiki version to 20180422a
- Adds required vendor directory
- Replaces dependencies on libraries located in vendor directory with libraries provided by Fedora’s packages where available (simplepie, phpseclib, random_compat, lesserphp)
- Fixes Apache configuration, so it matches access restrictions of DokuWiki’s upstream .htaccess files
Upgrade Procedure
Before the upgrade, make sure that you have a backup of your DokuWiki’s data and configuration, so you can rollback in case of some incompatibility. Thanks to the COPR repository, it is very easy to upgrade Fedora’s DokuWiki. Just follow these steps as root user to install the new package:
# install copr plugin for dnf dnf -y install 'dnf-command(copr)' # enable repository with new dokuwiki package dnf -y copr enable pessoft/dokuwiki # upgrade the dokuwiki package to a new version dnf -y upgrade dokuwiki
Compatibility Information
I’ve successfully tested the new dokuwiki package in following scenarios:
- New installation of dokuwiki package on a fresh new installation of Fedora 28.
- Upgrade of standard Fedora 28 dokuwiki package, while there were already some data created by DokuWiki 20150810a.
New dokuwiki packages are also available from COPR for Fedora 26, Fedora 27 and Fedora Rawhide. These however have not been tested by me. Good luck.
