[pmwiki-users] Re: Persistant Spam even with blocklist
Wendell Brown
wbrown at arkie.net
Mon Aug 29 10:36:38 CDT 2005
Patrick, it looks like it's also possible to fool the text block by
using encoded url's. Here is the code I'm going to add to MTBlackList
to avoid this hole:
$str = html_entity_decode( rawurldecode( $str ) );
$str = preg_replace( "/&#([0-9]+);/e", "chr( \\1 )", $str );
I don't know if you want to add something like that to BlackList2 or not.
Patrick R. Michaud wrote:
> On Mon, Aug 29, 2005 at 02:32:46PM +0000, Bob Atkins wrote:
>
>>I know 1.0.11 is something of an old version, so there may be issues there. I
>>don't think version 2 is out of beta yet, or if there will be an easy upgrade
>>path.
>
>
> In reviewing the 1.0.11 code it looks as though it's possible for
> people to bypass the various blocklist recipe(s) by using
> ?action=post directly, which was left in for backwards compatibility
> with previous versions of PmWiki.
>
> Try adding the following to the very beginning of your config.php:
>
> if ($action == 'post') $action='edit';
>
> I think that should force all posts through the blocklist.
>
> Pm
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
More information about the pmwiki-users
mailing list