[pmwiki-users] Posting Permission Patterns

Hans design5 at softflow.co.uk
Fri May 4 13:50:14 CDT 2007


Friday, May 4, 2007, 7:12:37 PM, The Editor wrote:

>>  // the following patterns for 'current page' and 'current group'
>>  // could be exploited to post to edit protected pages
>>  '{$Group}.{$Name}',    // current page
>>  '{$Group}.*',          // all pages in current group
>> */

> Can you explain how these could be exploited, either on or off list.
> It seems with the approach Pm used, the imposed markup would not in
> any way override or change these page variables.  Or is it some other
> mechanism you are referring to?

{$Group} and {$Name} will be derived from $pagename. Now the script
cannot control what will be passed to it as $pagename. Some attacker can
set up a form which will post some arbitrary pagename as $pagename to
the form. It does not need much to figure out what the function in the
processor script accepts as $pagename. In other word: there is no safe
'current page' variable. And therefore also no 'current group'.

> Also, another question about your proposed plan.  You will require Fox
> admins to set these patterns in a config file for each form that needs
> a different set of patterns?  That's a lot of config editing isn't it?

I have not thought about that each form needs different permission
patterns. So far I am only using general patterns for all Fox forms to
obey. Still it means an admin wanting the possibility to post to all
pages in one group needs to explicitely define a group pattern in
a local config file or on Site.FoxConfig. Unless he considers the site
is safe because he can trust all editors, and sets a '*.*' pattern
for allowing posting to all pages (still excluding the pages excluded
with - prefixes, like '-Site.*', '-PmWiki.*'.


  ~Hans




More information about the pmwiki-users mailing list