[pmwiki-users] Re: Re: Upload Enhancement for file deletion

Dan Weber webmaster at drwhosting.net
Wed Dec 14 16:44:20 CST 2005


"Patrick R. Michaud" <pmichaud at pobox.com> wrote in message 
news:20051214201154.GF32393 at host.pmichaud.com...
> On Wed, Dec 14, 2005 at 01:32:45PM -0500, Dan Weber wrote:
>>
>> "sven saurwein" <saurwein at komit.at> wrote in message
>> news:43A0595D.4060608 at komit.at...
>> > I - once again for usability reasons- suggest putting lines
>> > 65 ...('Are you sure you want to delete ' + name + '?')...
>> > and
>> > 75  ...&lt;del&gt;...
>> >
>> > also in the XLSDV
>>
>> I also added the change that the delete link does not show up when the 
>> user
>> does not have upload privileges.
>>
>> I'll add this script to a cookbook entry
>
> I just reviewed Dan's script -- my first comment is "excellent work" --
> you've written most of the things the way I would've done them.
> Congratulations on being able to follow the original code so well!
>
> However, there's a couple of *serious* flaws we'll have to address.
> Since all of the delete links are normal GET requests encoded in
> <a href='...'> tags, the first robot to come along and follow those
> links is going to delete all of the uploads.
>
> Oops.
>
> Password protection won't help, as many sites (e.g., pmwiki.org)
> run with uploads unprotected.  Robot protection won't help, as
> we're bound to miss at least one robot, or a robot may cloak under
> a different user agent identifier.
>
> I think the output of (:attachlist:) will have to be a form with
> checkboxes and a submit button or multiple submit buttons.
> Robots typically do not follow links given in forms.  Personally
> I favor checkboxes, since it's an automatic form of confirmation,
> and it also makes it easier to remove multiple things at once.
>
> The other problem is that the filename= parameter isn't currently
> being filtered in any way.  So, anyone with upload privileges can do
> ".../pmwiki.php?action=delattach&filename=../../wiki.d/Private.GroupAttributes"
> and they'll have successfully removed a page from the wiki, with no
> backup available or trace of what happened.
>
> Oops.
>
> Lastly, I don't think the script should directly unlink items;
> instead it should probably rename them with a timestamp the way
> that PmWiki does for deleting pages.  Otherwise a malicious person
> can completely eliminate lots of uploads.  (This could be
> controlled by an appropriate $Enable option.)
>
> Pm

wow - Thanks Patrick, for outlining the problems. It shows that you have 
more experience than me ;-)

I uploaded a new version to the cookbook page and to this post.

- Files are now selected with a checkbox
- Multiple files can be deleted at once
- Delete action is a post action through a form
- Filenames pass a basic filter for validation

Dan 


begin 666 attachdel.php
M/#]P:' @:68@*"%D969I;F5D*"=0;5=I:VDG*2D at 97AI="@I.PHO*B @5&AI
M<R!S8W)I<'0 at 861D<R!T:&4 at 86)I;&ET>2!T;R!D96QE=&4@=7!L;V%D960@
M871T86-H;65N="!F:6QE<PH*(" @($EN(&]R9&5R(&9O<B!I="!T;R!W;W)K
M('1H92 H.F%T=&%C:&QI<W0Z*2!M87)K=7 @:6X at 4VET92Y5<&QO8611=6EC
M:U)E9F5R96YC90H@(" @8V%N(&)E(&-H86YG960@=&\@*#IN97=A='1A8VAL
M:7-T.BDL('=H:6-H('=I;&P at 861D(&$@9&5L971E(&]P=&EO;B!T;R *(" @
M(&%L;"!E>&ES=&EN9R!F:6QE<RX*(" @( H@(" @075T:&]R.B!$86X at 5V5B
M97(@*'=E8FUA<W1E<D!D<G=H;W-T:6YG+FYE="DL('=I=&@@8V]D92!C;VYT
M<FEB=71I;VX at 9G)O;2!T:&4@;W)I9VEN86P@=7!L;V%D+G!H<"!S8W)I<'0*
M*B\*"F1E9FEN92A!5%1!0TA?1$5,151%7U9%4E-)3TXL("<P+C R)RD[( H*
M"EA,4T16*"=E;B<L87)R87DH"B @)U5,9&5L<W5C8V5S<R<@/3X@)W-U8V-E
M<W-F=6QL>2!D96QE=&5D)RP*(" G54QD96QF86EL)R ]/B G9F%I;&5D('1O
M(&1E;&5T92<L"B @)U5,9&5L86-T:6]N)R ]/B G1&5L971E($-H96-K960@
M1FEL97,G+ H@("=53&1E;&YO9FEL97,G(#T^("=.;R!F:6QE<R!M87)K960@
M=&\@9&5L971E)RDI.PH*36%R:W5P*"=N97=A='1A8VAL:7-T)RP@)SQB;&]C
M:R<L( H@("<O7%PH.FYE=V%T=&%C:&QI<W1<7',J*"XJ/RDZ7%PI+V5I)RP*
M(" B2V5E<"@G/'5L/B<N1FUT3F5W57!L;V%D3&ES="@G)'!A9V5N86UE)RQ0
M4U,H)R0Q)RDI+B<\+W5L/B<I(BD["E-$5D$H)$AA;F1L94%C=&EO;G,L(&%R
M<F%Y*"=P;W-T9&5L871T86-H)R ]/B G2&%N9&QE071T86-H;65N=$1E;&5T
M92<I*3L*4T1602 at D2&%N9&QE075T:"P at 87)R87DH)W!O<W1D96QA='1A8V at G
M(#T^("=U<&QO860G*2D["@H@( IF=6YC=&EO;B!(86YD;&5!='1A8VAM96YT
M1&5L971E*"1P86=E;F%M92P@)&%U=&@@/2 G=7!L;V%D)RD@>PH@(&=L;V)A
M;" D57!L;V%D1&ER+" D57!L;V%D4')E9FEX1FUT+" D4&%G95-T87)T1FUT
M+" D4&%G945N9$9M=#L*(" D<&%G92 ](%)E=')I979E075T:%!A9V4H)'!A
M9V5N86UE+" D875T:"P@=')U92P at 4D5!1%!!1T5?0U524D5.5"D["B @:68@
M*"$D<&%G92D at 06)O<G0H(C]C86YN;W0 at 9&5L971E(&9R;VT@)'!A9V5N86UE
M(BD["B @4$-A8VAE*"1P86=E;F%M92PD<&%G92D["B @)'5P;&]A9&1I<B ]
M($9M=%!A9V5.86UE*"(D57!L;V%D1&ER)%5P;&]A9%!R969I>$9M="(L("1P
M86=E;F%M92D["B @)&]U=" ](&%R<F%Y*"D["B @)&]U=%M=(#T@(CQD:78@
M:60])W=I:VEU<&QO860G/@H@(" @(" @(" @(" \:#(@8VQA<W,])W=I:VEA
M8W1I;VXG/B1;071T86-H;65N=', at 9F]R72!<)$9U;&Q.86UE/"]H,CX*(" @
M(" @(" @(" @/&@S/D1E;&5T92!297-U;'0\+V at S/@H@(" @(" @(" @(" \
M<#XB.PH@(&9O<F5A8V at H0"1?4D5154535%LG9FEL97,G72!A<R D9FXI('L*
M(" @("1F;B ]('!R96=?<F5P;&%C92 at G+UY;+EQ<+UQ<7%Q=*B\G+" G)RP@
M)&9N*3L*(" @(&EF*'5N;&EN:R at D=7!L;V%D9&ER("X@(B\B("X@)&9N*2D@
M>PH@(" @(" D;W5T6UT@/2 B)&9N("XN+B D6U5,9&5L<W5C8V5S<UT\8G(^
M(CL*(" @('T*(" @(&5L<V4@>PH@(" @(" D;W5T6UT@/2 B)&9N("XN+B D
M6U5,9&5L9F%I;%T\8G(^(CL*(" @('T*("!]"B @:68H8V]U;G0H0"1?4D51
M54535%LG9FEL97,G72 ]/2 P*2D@>PH@(" @)&]U=%M=(#T@(B1;54QD96QN
M;V9I;&5S73QB<CXB.PH@('T*(" D;W5T6UT@/2 B/&)R/CPO<#X\+V1I=CXB
M.PH@(%-$5B at D4&%G941E;&5T949M="QA<G)A>2A&;71086=E3F%M92 at D;W5T
M+" D<&%G96YA;64I+" B=VEK:3HD6U-I=&4N57!L;V%D475I8VM2969E<F5N
M8V5=(BDI.PH@(%-$5B at D2&%N9&QE1&5L971E1FUT+&%R<F%Y*"8D4&%G95-T
M87)T1FUT+"8D4&%G941E;&5T949M="PF)%!A9V5%;F1&;70I*3L*("!0<FEN
M=$9M="@D<&%G96YA;64L)$AA;F1L941E;&5T949M="D["GT*"@H*9G5N8W1I
M;VX at 1FUT3F5W57!L;V%D3&ES="@D<&%G96YA;64L("1A<F=S*2!["B @9VQO
M8F%L("15<&QO861$:7(L("15<&QO8610<F5F:7A&;70L("15<&QO8615<FQ&
M;70L("1%;F%B;&55<&QO861/=F5R=W)I=&4L"B @(" D5&EM949M="P@)$5N
M86)L941I<F5C=$1O=VYL;V%D+" D2&%N9&QE075T:#L*"B @)&]P=" ](%!A
M<G-E07)G<R at D87)G<RD["B @:68@*$ D;W!T6R<G75LP72D@)'!A9V5N86UE
M(#T at 36%K95!A9V5.86UE*"1P86=E;F%M92P@)&]P=%LG)UU;,%TI.PH@(&EF
M("A )&]P=%LG97AT)UTI( H@(" @)&UA=&-H97AT(#T@)R]<7"XH)R *(" @
M(" @+B!I;7!L;V1E*"=\)RP@<')E9U]S<&QI="@G+UQ<5RLO)RP@)&]P=%LG
M97AT)UTL("TQ+"!04D5'7U-03$E47TY/7T5-4%19*2D*(" @(" @+B G*20O
M:2<["@H@("1U<&QO861D:7(@/2!&;71086=E3F%M92 at B)%5P;&]A9$1I<B15
M<&QO8610<F5F:7A&;70B+" D<&%G96YA;64I.PH@("1U<&QO861U<FP@/2!&
M;71086=E3F%M92A)<T5N86)L960H)$5N86)L941I<F5C=$1O=VYL;V%D+" Q
M*2 *(" @(" @(" @(" @(" @(" @(" @(" @(" _("(D57!L;V%D57)L1FUT
M)%5P;&]A9%!R969I>$9M="\B"B @(" @(" @(" @(" @(" @(" @(" @(" @
M.B B7"1086=E57)L/V%C=&EO;CUD;W=N;&]A9"9A;7 [=7!N86UE/2(L"B @
M(" @(" @(" @(" @(" @(" @(" D<&%G96YA;64I.PH*(" D9&ER<" ]($!O
M<&5N9&ER*"1U<&QO861D:7(I.PH@(&EF("@A)&1I<G I(')E='5R;B G)SL*
M(" D9FEL96QI<W0@/2!A<G)A>2 at I.PH@('=H:6QE("@H)&9I;&4]<F5A9&1I
M<B at D9&ER<"DI("$]/2!F86QS92D@>PH@(" @:68@*"1F:6QE>S!](#T]("<N
M)RD at 8V]N=&EN=64["B @("!I9B H0"1M871C:&5X=" F)B A<')E9U]M871C
M:"A )&UA=&-H97AT+" D9FEL92DI(&-O;G1I;G5E.PH@(" @)&9I;&5L:7-T
M6R1F:6QE72 ]("1F:6QE.PH@('T*("!C;&]S961I<B at D9&ER<"D["B @)'!A
M9V4@/2!2971R:65V94%U=&A086=E*"1P86=E;F%M92P@)$AA;F1L94%U=&A;
M)W!O<W1D96QA='1A8V at G72P@9F%L<V4L(%)%041004=%7T-54E)%3E0I.PH@
M("1O=70@/2!A<G)A>2 at I.PH@(&EF*"1P86=E*2!["B @(" D;W5T6UT@/2!&
M;71086=E3F%M92 at B/&9O<FT at 96YC='EP93TG;75L=&EP87)T+V9O<FTM9&%T
M82<@86-T:6]N/2=<)%!A9V55<FPG(&UE=&AO9#TG<&]S="<^(BP@)'!A9V5N
M86UE*3L*(" @("1O=71;72 ]($9M=%!A9V5.86UE*"(\:6YP=70@='EP93TG
M:&ED9&5N)R!N86UE/2=N)R!V86QU93TG7"1&=6QL3F%M92<@+SXB+" D<&%G
M96YA;64I.PH@(" @)&]U=%M=(#T@(CQI;G!U="!T>7!E/2=H:61D96XG(&YA
M;64])V%C=&EO;B<@=F%L=64])W!O<W1D96QA='1A8V at G("\^(CL*("!]"@H@
M(&%S;W)T*"1F:6QE;&ES="D["B @)&]V97)W<FET92 ]("<G.PH@(&9O<F5A
M8V at H)&9I;&5L:7-T(&%S("1F:6QE/3XD>"D@>PH@(" @)&YA;64@/2!0544H
M(B1U<&QO861U<FPD9FEL92(I.PH@(" @)'-T870@/2!S=&%T*"(D=7!L;V%D
M9&ER+R1F:6QE(BD["B @("!I9B H)$5N86)L955P;&]A9$]V97)W<FET92D@
M"B @(" @("1O=F5R=W)I=&4@/2!&;71086=E3F%M92 at B/&$@8VQA<W,])V-R
M96%T96QI;FLG"B @(" @(" @:')E9CTG7"1086=E57)L/V%C=&EO;CUU<&QO
M860F86UP.W5P;F%M93TD9FEL92<^)FYB<W [)D1E;'1A.SPO83XB+" *(" @
M(" @(" D<&%G96YA;64I.PH@(" @)&1E;&5T92 ]("(B.R @(" *(" @(&EF
M*"1P86=E*2!["B @(" @("1D96QE=&4@/2!&;71086=E3F%M92 at B/&EN<'5T
M('1Y<&4])V-H96-K8F]X)R!N86UE/2=F:6QE<UM=)R!V86QU93TG)&9I;&4G
M("\^(BP@)'!A9V5N86UE*3L@(" @(" @( H@(" @?0H@(" @)&]U=%M=(#T@
M(CQL:3XD9&5L971E/&$@:')E9CTG)&YA;64G/B1F:6QE/"]A/B1O=F5R=W)I
M=&4 at +BXN("(N"B @(" @(&YU;6)E<E]F;W)M870H)'-T871;)W-I>F4G72D@
M+B B(&)Y=&5S("XN+B B("X@"B @(" @('-T<F9T:6UE*"14:6UE1FUT+" D
M<W1A=%LG;71I;64G72D at +B B/"]L:3XB.PH@('T*("!I9B at D<&%G92D@>PH@
M(" @)&]U=%M=(#T at 1FUT4&%G94YA;64H(CQB<CX\:6YP=70@='EP93TG<W5B
M;6ET)R!V86QU93TG)%M53&1E;&%C=&EO;ETG("\^(BP@)'!A9V5N86UE*3L*
M(" @("1O=71;72 ]("(\+V9O<FT^(CL*("!]"B @<F5T=7)N(&EM<&QO9&4H
3(EQN(BPD;W5T*3L*?0H*"@H_/@``
`
end






More information about the pmwiki-users mailing list