[pmwiki-users] Fwd: validating ZAP pagenames & (:pagelist:) problem?

SteP step.list+pmwiki at gmail.com
Thu Mar 8 02:44:36 CST 2007


Hi Dan,

> Here's the code at zapsite to give you an idea how zap's conditional's
> work: 
> 
> http://www.fast.st/zap/pmwiki.php?n=Snippets.Create

Yes, that's where I started from originally. You can break it by entering 
a group name, "Files.a b c" results in:

    Form submitted. Page Files.Files.a b c has been created.

You won't see that page name in the pagelist, because it's an illegal page 
name, but I think it will be in the filesystem (potential for exploits?). 
This problem was easier for me to spot because I had modified your snippet 
to prefix the entered page name with a fixed group. That's where it 
breaks.


> Just add something like
> 
> (:zap passdata="fieldname" formname:)

That works perfectly, thank you




More information about the pmwiki-users mailing list