[pmwiki-users] PHP slashes (was ZAP Permissions and Includes)

The Editor editor at fast.st
Fri Oct 13 06:01:04 CDT 2006


On 10/12/06, The Editor <editor at fast.st> wrote:
> On the ZAP forum I was asked about whether the following lines in a
> config file would keep someone from including a Data page into another
> page, and thus being able to see the stuff you are trying to protect.
> (Pardon my slashes).
>
> $pagename = ResolvePageName($pagename); if (substr($pagename !=
> \"ZAP-\") $DefaultPasswords[\'read\'] = \'id:*\'; else
> $DefaultPasswords[\'read\'] = \'id:AdminName\';
> $DefaultPasswords[\'edit\'] = \'id:AdminName\';
> $DefaultPasswords[\'admin\'] = \'id:AdminName\';
>
> uhh, how about this:
>
> $pagename = ResolvePageName($pagename); if (substr($pagename != "ZAP-")
>      $DefaultPasswords['read'] = 'id:*';
> else $DefaultPasswords['read'] = 'id:AdminName';
> $DefaultPasswords['edit'] = 'id:AdminName';
> $DefaultPasswords['admin'] = 'id:AdminName';
>
> After checking... I discovered this was a vulnerability if the protect
> features is not used to disable directives...
>
> Maybe it needs to be worked the other way. All pages are not readable,
> and then if a page is not a ZAP- page you reset the permissions to
> nopass or id or whatever.  Thoughts?
>
> The other option (of course) is to disable directives using the ZAP
> protect feature. Thanks for pointing this out Crisses.
>
> Now about those slashes...
>
> Cheers
> Caveman


By the way I've been looking into this and discovered the slashes are
only on the webserver, not my home system.  Does anyone know if this a
php glitch, or a configuration problem or what?  I believe mine home
machine is php 4.4.2, and the server 4.4.4.

I suppose I just need to add an extra stripslashes() line somewhere?

Cheers,
Caveman




More information about the pmwiki-users mailing list