[pmwiki-devel] Security issues: Disabling action=source & action=diff?

Dominique Faure dominique.faure at gmail.com
Tue Dec 5 08:57:12 CST 2006


On 12/5/06, Crisses <crisses at kinhost.org> wrote:
>
> Now that some recipes are possibly storing data invisibly in the PmWiki
> source of a page, should we have a standard "disable public view of source"
> (and history?) option in the config.php file?
>
> I note that I can look at cookbook stuff on PmWiki.org, and the "see it in
> action at..." then even if I can't edit to view the example source, I can
> type &action=source into the browser, and there it is....
>
> [A closed edit site, close to my heart :) ]
> http://eclectictech.net/?action=source
>
> Obviously I'm doing it from the PmWiki developer point of view, out of a
> curiosity of "How can I improve my sites?" and "How did they DO! that?" but
> others may do it from the "How can I hack sites?" point of view, so I would
> think some people would want to (or NEED to) limit others viewing PmWiki
> source code.
>
> I think this should be listed somewhere in a list of items that new installs
> should review for security purposes.  I'm seeing people "just installing"
> PmWiki without knowing that their site is vulnerable to vandals, for
> example.  Maybe a pointer to an installation review checklist should be on
> the Installation page?
>
> Yeah, yeah, "that sounds like the voice of a volunteer" ;)  I'd be glad to
> kick it off, but either tell or remind me how to disable these actions -->
> can we tie them in to authentication levels?  Like you can only view source
> if you can edit the page?
>
> Then I can start off a link from the Installation instructions to a page of
> "Recommended security procedures" (a list of items with brief descriptions)
> that then link to relevant information for implementation on each item.
>
> Anyone against this?  For it?  Want to help?  Want to do it instead? :)
>
>

The basic site protection I could suggest would be to synch
'action=source' or 'action=diff' with 'action=edit' auth level:

$HandleAuth['diff'] = $HandleAuth['source'] = 'edit';

As simple as that,
Dom



More information about the pmwiki-devel mailing list