[pmwiki-devel] [pmwiki-users] ZAP security vulnerability...
Kathryn Andersen
kat_lists at katspace.homelinux.org
Tue May 1 21:19:11 CDT 2007
(Following up on pmwiki-devel)
On Tue, May 01, 2007 at 08:21:04PM -0500, Patrick R. Michaud wrote:
> All of this is just a way of saying that I think we need
> a different overall solution to the problem here -- i.e.,
> being able to bypass edit to write to *any* page is too
> blunt an instrument for what we're trying to achieve.
Whatever happened to the "append" level of security that you were
considering as a solution to adding blogging/commenting capability to
PmWiki?
One of the things that has bothered me about ZAP is not quite that
it bypasses PmWiki security(*), but that it has its own security
model that bypasses PmWiki security. This concerns me for a few
different reasons:
(a) more complicated: there are two security systems
(b) uncertain: ZAP's security has had less testing
(c) is it necessary?
I know that security is complicated. Even adding "append" security is
complicated. And what does one do if one wants, say, for people to be
able to edit some parts of a page (like certain PTVs) and not others?
Though I guess that can be gotten around by splitting the content into
two pages.
(*)My own IncludeUpload bypasses PmWiki security, but I've made it quite
clear that it is not secure.
Kathryn Andersen
--
_--_|\ | Kathryn Andersen <http://www.katspace.com>
/ \ |
\_.--.*/ | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/>
v |
------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere
Maranatha! | -> Earth -> Sol -> Milky Way Galaxy -> Universe
More information about the pmwiki-devel
mailing list