[pmwiki-users] Security/information leak in PmWIki

Patrick R. Michaud pmichaud at pobox.com
Sun Feb 20 16:21:05 CST 2005


On Sun, Feb 20, 2005 at 09:56:48PM +0100, Nils Knappmeier wrote:
> Wouldn't it be better to use RetrieveAuthPage instead of ReadPage to 
> open the pages for a search?
> That way, the user would only get the pages that he is allowed to see.

Searches are already slow.  RetrieveAuthPage is also slow (and
even slower in the face of user-based authorization).  Somehow I 
think that performing RetrieveAuthPage for every page will simply 
make the overall search too slow to be useful.  Better is to exclude
pages from the search based on their name before they're even read.

Also, it's not always true that a site wishes to hide pages that
are otherwise inaccessible -- some sites like to let such pages
be found as "teasers" to other content.

However, I wouldn't have much problem with adding a $EnablePageListAuth
switch that uses RetrieveAuthPage instead of ReadPage for searches
and page listings.  Let me know if anyone is interested.

Pm




More information about the pmwiki-users mailing list