[pmwiki-users] Custom PageVariables from request strings: critical vulnerability
Oliver Betz
list_ob at gmx.net
Mon Feb 29 05:54:33 CST 2016
Petko Yotov wrote:
> the recipe "HttpVariables" provides access to request strings
it doesn't offer a method to access have a get /or/ post parameter in a
single PTV as I had in:
$FmtPV['$foo'] = 'isset($_GET["foo"]) ? $_GET["foo"] : @$_POST["foo"]';
The markup {$!foo} is stated "might not be reliable", the documentation
is somewhat fuzzy in this respect: "{$!request_var} may produce
different results under different php.ini configurations."
I think I will make my own solution based on HttpVariables.
BTW: Is the code cited above secure because it's in single quotes?
Oliver
P.S. I still consider "return-to mangling" useful, replies to list
messages should go to the list by default.
More information about the pmwiki-users
mailing list