[pmwiki-users] Fwd: validating ZAP pagenames & (:pagelist:) problem?
SteP
step.list+pmwiki at gmail.com
Thu Mar 8 02:44:36 CST 2007
Hi Dan,
> Here's the code at zapsite to give you an idea how zap's conditional's
> work:
>
> http://www.fast.st/zap/pmwiki.php?n=Snippets.Create
Yes, that's where I started from originally. You can break it by entering
a group name, "Files.a b c" results in:
Form submitted. Page Files.Files.a b c has been created.
You won't see that page name in the pagelist, because it's an illegal page
name, but I think it will be in the filesystem (potential for exploits?).
This problem was easier for me to spot because I had modified your snippet
to prefix the entered page name with a fixed group. That's where it
breaks.
> Just add something like
>
> (:zap passdata="fieldname" formname:)
That works perfectly, thank you
More information about the pmwiki-users
mailing list