[pmwiki-users] Security/information leak in PmWIki

Patrick R. Michaud pmichaud at pobox.com
Thu Feb 17 16:02:18 CST 2005


On Thu, Feb 17, 2005 at 04:15:42PM -0500, Neil Herber wrote:
> At 2005-02-17  01:51 PM -0600, Patrick R. Michaud is rumored to have said:
> >> >   $SearchPatterns['default'][] = '!^Private\.!';
> >> >   $SearchPatterns['all'][] = '!^Private\.!';
> >> >   $SearchPatterns['normal'][] = '!^Private\.!';
> > ..... snip ...
> >Yes, the search killers need to be global (local/config.php in the field)
> >to be effective.
> 
> One unexpected side effect of this code is that the (:pagelist:) markup no 
> longer lists the Private pages. That is fine outside the Private group, but 
> it would be convenient if it worked inside the Private group. Not a show 
> stopper, and much better than having the names exposed.

Change your config.php to read:

    if (strncmp($pagename, 'Private.', 8) != 0) {
        $SearchPatterns['default'][] = '!^Private\.!';
        $SearchPatterns['all'][] = '!^Private\.!';
        $SearchPatterns['normal'][] = '!^Private\.!';
    }

This excludes the Private group from searches only if you're not
already in the Private group.  :-)

> At first I thought there was a far bigger leak provided by the (:include:) 
> directive because  (:include Private.Budgets:) displayed the entire budget 
> page. However, it only displays if the user already has read permission. 
> Without read permission, nothing shows up from the included page. Well done!

Thanks.  I have tried to keep the contents of protected pages protected;
the ability to find pages (and deduce their contents via searches) has
been a known item that wasn't until now deemed important enough to worry
about.

I think there's also a PITS entry somewhere about creating a (:cloak:)
directive or way of indicating that pages/groups should be normally
invisible in searches/listings.

Pm



More information about the pmwiki-users mailing list