[Pmwiki-users] New version no upload directives available for testing here

Patrick R. Michaud pmichaud
Thu Jan 29 20:10:58 CST 2004


On Thu, Jan 29, 2004 at 11:19:28PM +0100, Christian Ridderstr?m wrote:
> 
> AFAIK, the only problem right now is that 'security' can be bypassed, e.g. 
> it's possible to list the files in another directory and there's no check 
> if this is allowed.
> 
> Patrick, I can put this up as a cookbook extension, or you can have a 
> look at it and see if it should go into 0.6.

I'm probably going to leave this particular feature as a cookbook
extension.  Speaking from experience as a system administrator, I'm
very wary of anything that allows anonymous web users to specify
paths directly into my filesystem--and the elimination of the '/' 
character in attachment names is a reasonable safeguard against that.

This isn't a criticism of the code or the module itself--I'm just
looking at it from a "PmWiki acceptability" perspective.

(As an aside, even Apache receives my trust only because I know
how many sites and reviewers there are for the code.  I'm much more
suspicious of other web-server software because it's so easy to
forget a special case.)

> PS. The new directives now also allow non-english characters in the 
> filenames and directories.

Hmmm, I'm wondering what you had to do to achieve this, and if it would 
help in configuring PmWiki to have non-ASCII characters in page names...?
Can you send me a couple of pointers/tips?

Pm



More information about the pmwiki-users mailing list