[pmwiki-users] Security/information leak in PmWIki

Patrick R. Michaud pmichaud at pobox.com
Sun Feb 20 16:55:29 CST 2005


On Sun, Feb 20, 2005 at 05:25:43PM -0500, Neil Herber wrote:
> At 2005-02-20  04:21 PM -0600, Patrick R. Michaud is rumored to have said:
> >However, I wouldn't have much problem with adding a $EnablePageListAuth
> >switch that uses RetrieveAuthPage instead of ReadPage for searches
> >and page listings.  Let me know if anyone is interested.
> 
> I would be much more interested in the group markup that was alluded to in 
> a previous email, something like (:nosearch:).

Probably would be called (:cloak:) or something like that.  To hide
a group, where would one put this -- in the GroupHeader/GroupFooter
pages?  (Note that this can get quite messy, since an administrator is
always free to change the names of GroupHeader/GroupFooter.)

> For my purposes, being able to exclude a group from searching and page 
> listing unless the request came from inside the group would be adequate.

I'll have to think on this one a bit more.  Probably worth adding
to PITS for now so it doesn't get forgotten.

Pm



More information about the pmwiki-users mailing list