[pmwiki-users] Increased recipe security without much hassle (Was: Infected Cookbook Recipes?)

Ian MacGregor ianmacgregor at pobox.com
Wed Oct 8 16:10:46 CDT 2008


This message is in reference to:
http://pmichaud.com/pipermail/pmwiki-users/2008-September/052378.html

I've an idea about this.

1) Author generates an MD5 hash
2) Author uploads the recipe and adds a $RecipeName-hash page and links
to it (ex. CookBook.MyRecipe would have a hash page of
CookBook.MyRecipe-hash)
3) Author adds the hash to the $RecipeName-hash page and then password
protects editing of that page, not the recipe page itself.

This way the hash can't be changed by anyone except the author and we
know where each hash page would be for each recipe - we know not to
trust any hash we find on CookBook.MyRecipe-hash2 or
CookBook.Myrecipe-Hash. Of course all recipe authors would need to agree
on a single form of the hash page link. 

Generating an MD5 hash takes less than a minute and adding the hash to
the "hash" page is even faster. I'm not sure about Windows but this MD%
sum can even be automated on Linux (bash script or ~/.bash_aliases). I
would think that this added bit of "work" - although it's not enough to
complain about - would help ensure that people are using the correct
versions of recipes. Of course it has no effect if the recipe user
doesn't check the recipe against the hash but at least the security is
there.

I wonder how many people are avoiding the use of recipes because of this
issue.

-  
Regards,
Rev. Ian MacGregor D.D., D.B.S.


On Wed, 2008-10-08 at 21:01 +0200, ThomasP wrote:
> On Wed, October 8, 2008 9:09 pm, Ian MacGregor wrote:
> > I must have missed the first part of this conversation. What exactly is
> > the problem?
> >
> 
> Hi,
> 
> there was a discussion going on starting on 21th of Sep, see
> 
> http://pmichaud.com/pipermail/pmwiki-users/2008-September/052378.html
> http://pmichaud.com/pipermail/pmwiki-users/2008-September/thread.html
> 
> The problem is not security of uploads on pmwiki deployments in general
> (which indeed could be password protected), but the integrity of files
> uploaded to the recipe pages on pmwiki.org (where the current open
> permission setup is a "fixed variable" with good reasons).
> 
> Thomas
> 
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users




More information about the pmwiki-users mailing list