[pmwiki-devel] ZAP security vulnerability...

Patrick R. Michaud pmichaud at pobox.com
Wed May 2 07:45:00 CDT 2007


On Wed, May 02, 2007 at 12:19:11PM +1000, Kathryn Andersen wrote:
> (Following up on pmwiki-devel)
> On Tue, May 01, 2007 at 08:21:04PM -0500, Patrick R. Michaud wrote:
> > All of this is just a way of saying that I think we need
> > a different overall solution to the problem here -- i.e., 
> > being able to bypass edit to write to *any* page is too 
> > blunt an instrument for what we're trying to achieve.
> 
> Whatever happened to the "append" level of security that you were
> considering as a solution to adding blogging/commenting capability to
> PmWiki?

Well, that's what I've spent months struggling with on this
issue.  :-)  I think I've come to the conclusion that adding
another authorization level doesn't really resolve the problem
in a satisfactory manner.  First, it adds complexity, as anyone
using the forms processing engine would then have to understand
how the additional authorization level works.  But beyond that,
not everyone who edits a page also has the ability to change
passwords or authorization levels on the page.  

So, that's why I started casting about for other approaches
to the problem.  My current attempt involves looking for
specific enabling strings on pages that allow append/update,
or allowing the authority to be delegated based on patterns
in the target page's name [1].

Thanks,

Pm

[1] http://www.pmichaud.com/pipermail/pmwiki-users/2007-April/042082.html



More information about the pmwiki-devel mailing list