[pmwiki-users] OpenOffice.org file uploads

Algis Kabaila akabaila at pcug.org.au
Mon Nov 13 17:56:54 CST 2006


On Tuesday 14 November 2006 04:03, pmwiki-users-request at pmichaud.com wrote:
> From: Robin Sheat <robin at kallisti.net.nz>
>  To: pmwiki-users at pmichaud.com
>
> Message was signed with unknown key 0x14D36485A99CEB6D.
> The validity of the signature cannot be verified.
> Status: No public key to verify the signature
>
>   On Monday 13 November 2006 10:45, Algis Kabaila wrote:
> > I will sure try it - it sounds just like what we need.  I was aware of
> > the security issue, but it is our groups opinion that OO.org files are
> > more secure than other types.  I will report the outcome.
>
> They are more secure. The reason PmWiki only specifies allowed extensions
> is for a different security problem. If you could upload (say) a .pl file,
> and the server has mod_perl enabled, then you can do Bad Things(tm). So it
> errs on the side of only letting a few things through. It's to protect the
> server, more than the users :)

A big thank you to all who replied to my post, including Robin.  Following 
your advice I have now enabled our pmwiki to upload OpenOffice files, as 
requested by Rod, to whom I am sending a copy of this email.

I don't know Perl (nor, alas, php...) and it really is too late for me to 
learn.  OTH, I do program Python and as Python is definitely enabled on our 
server (how else would one run "Mailman"?), IMHO security based on file 
extensions is very weak indeed - almost meaningless.  Why? Python will run 
"scripts" (programs) without any extensions of their name.  This is a problem 
for security, is it not?

Thanks again,

OldAl in sweltering Canberra Down-Under. Hi Robin, neighbour!

>
> --
> Robin <robin at kallisti.net.nz> JabberID: <eythian at jabber.kallisti.net.nz>
>
> Hostes alienigeni me abduxerunt. Qui annus est?
>
> PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8  7175 14D3 6485 A99C EB6D
>   End of signed message
>   End of encapsulated message

-- 
Algis Kabaila (Dr)
akabaila[at]pcug[dot]org[dot]au
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20061114/090a823b/attachment.bin 


More information about the pmwiki-users mailing list