[pmwiki-users] RSS Security issue

Patrick R. Michaud pmichaud at pobox.com
Sun Apr 17 08:57:56 CDT 2005


On Sun, Apr 17, 2005 at 05:55:24AM -0400, Crisses wrote:
> When I have RSS enabled and Main/Blocklist is in the RecentChanges 
> page, but is edit & read passworded, it still shows up in the RSS feed.
> 
> ie http://www.kinhost.org/wiki/Main/RecentChanges?action=rss
> [...]
> This page is passworded via /local/Main.Blocklist.php

It's not possible to read-protect pages/groups via the per-page
(or per-group) customizations, because those customizations aren't
loaded when you aren't accessing that page directly.

In this case, since you're accessing Main.RecentChanges, 
local/Main.Blocklist.php isn't being loaded and so the page
appears unprotected.  

Page and group passwords should always be done through ?action=attr.

Pm



More information about the pmwiki-users mailing list