[pmwiki-users] Posting Permission Patterns
Hans
design5 at softflow.co.uk
Fri May 4 13:50:14 CDT 2007
Friday, May 4, 2007, 7:12:37 PM, The Editor wrote:
>> // the following patterns for 'current page' and 'current group'
>> // could be exploited to post to edit protected pages
>> '{$Group}.{$Name}', // current page
>> '{$Group}.*', // all pages in current group
>> */
> Can you explain how these could be exploited, either on or off list.
> It seems with the approach Pm used, the imposed markup would not in
> any way override or change these page variables. Or is it some other
> mechanism you are referring to?
{$Group} and {$Name} will be derived from $pagename. Now the script
cannot control what will be passed to it as $pagename. Some attacker can
set up a form which will post some arbitrary pagename as $pagename to
the form. It does not need much to figure out what the function in the
processor script accepts as $pagename. In other word: there is no safe
'current page' variable. And therefore also no 'current group'.
> Also, another question about your proposed plan. You will require Fox
> admins to set these patterns in a config file for each form that needs
> a different set of patterns? That's a lot of config editing isn't it?
I have not thought about that each form needs different permission
patterns. So far I am only using general patterns for all Fox forms to
obey. Still it means an admin wanting the possibility to post to all
pages in one group needs to explicitely define a group pattern in
a local config file or on Site.FoxConfig. Unless he considers the site
is safe because he can trust all editors, and sets a '*.*' pattern
for allowing posting to all pages (still excluding the pages excluded
with - prefixes, like '-Site.*', '-PmWiki.*'.
~Hans
More information about the pmwiki-users
mailing list