[pmwiki-users] Possible bug/security hole? CommentBox allows posting of directives!
Mike
mike at widowitz.com
Sat Sep 30 07:28:18 CDT 2006
Hello all,
it might be that I detected a bug or slight "security hole" in the
CommentBox recipe. When posting on pages without edit rights, obviously
one does not want to allow the poster any rights except to have their
comment show up. However, when the user types in something like
(:title blabla:)
then the user actually changes the title of the page. The same goes for
all other directives - they can be entered by the user.
How could this behavior be avoided? I guess one would need to escape the
code the user enters...
Cheers,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20060930/ae6feb41/attachment.html
More information about the pmwiki-users
mailing list