[pmwiki-devel] ZAP farms: a modest proposal for security

[Hans]

Thursday, May 3, 2007, 5:02:26 PM, Ben wrote:

> So here's my question: would any of these exploits -- including the ones
> only mysteriously alluded to -- be possible if ZAP were only installed
> on a wiki farm field, separate from the publicly-editable part of the
> wiki?  If not, it seems like a wiki could safely use both editing 
> philosophies by isolating each from the other in its own farm field.
> Part of the site would use the wiki's edit function exclusively, and the
> other part would use ZAP exclusively as its public face, and they could
> share a skin and otherwise be unobtrusively integrated with each other.

A farm setup has several wikis (each as a "field" if you like that
term), but the whole is not one wiki. All the wikis in a farm share the
same PmWiki file installation, and possibly also share cookbook script
from the same farm cookbook directory. I say this to clarify the
terminology.

But each wiki is, or can be, configured individually, has its own
config.php file to include recipe scripts etc. So they are separate
entities, and if one is used for ZAP and has general edit protection
on all pages then ZAP should be safe to use, and it won't be
accessible from another wiki in the farm, if this wiki does not
include the script, either in config.php or a group or page php file.
So I think there is no danger there, if you can trust the people who
you gave edit permission on your ZAP wiki.


Hans