[pmwiki-users] another problem with blocklist2

Patrick R. Michaud pmichaud at pobox.com
Sun Sep 11 10:31:10 CDT 2005


On Sun, Sep 11, 2005 at 11:07:39AM -0400, Neil Herber wrote:
> The Blocklist2 script checks to see if the page being edited is the 
> Blocklist page itself. If it is, then Blocklist allows anything to be 
> posted. The script checks for BOTH Main.Blocklist and Site.Blocklist, 
> and that is where the problem arises.
> 
> If you are running an older version of PmWiki that uses 
> Main.Blocklist, then you probably do not have a Site group or a page 
> called Site.Blocklist. Spammers have figured this out, and they 
> simply create the page Site.Blocklist and populate it with their 
> "stuff". Because the Blocklist script allows posting to 
> Site.Blocklist, the spammer stuff gets posted. I know this because it 
> happened to me (version 2 beta 40) last night.

You're correct that this is a problem of the blocklist2 recipe for
versions of PmWiki prior to beta44.  For versions after beta44,
the Site group pages are automatically protected against edits,
so this shouldn't be an issue.

> I suspect that the reverse is true - if you are using Site.Blocklist 
> and you do not have a Main.Blocklist, the spammers will just create 
> it and post.

Yes, this appears to be the case.

> The cure is for all users of the Blocklist script to create both 
> Main.Blocklist and Site.Blocklist and edit protect them.

Another cure is to set $BlocklistPages explicitly in config.php.

Longer-term, I think we should just have the recipe use
Site.Blocklist (and only Site.Blocklist) by default.  If
an administrator really needs to keep Main.Blocklist for some
reason, he/she can explicitly configure it in $BlocklistPages.

Thanks,

Pm




More information about the pmwiki-users mailing list