[pmwiki-users] Hiearchical Groups Proposal.

Joachim Durchholz jo at durchholz.org
Wed Oct 18 13:50:24 CDT 2006


Patrick R. Michaud schrieb:
> On Wed, Oct 18, 2006 at 06:29:47PM +0200, Joachim Durchholz wrote:
>>> [...] Displaying a page nearly always involves processing its
>>> metadata as well (if only to check permissions), so we aren't really
>>> avoiding the need to do some file parsing somewhere.
>> Right, I didn't see that.
>>
>>> Also, for security reasons we have to encode/decode the contents of
>>> the markup text anyway,
>> Why that?
> 
> Suppose we have a page named "Group.PHP".  Because the file appears
> to have a .php extension, if the file is accessible directly via
> the webserver then any <?php ... ?> sequences that appear in the file
> can be treated as PHP code to be executed.

Ah. I didn't know that PmWiki had this hole plugged by escaping anything 
"dangerous" inside the page.

> PmWiki's PageStore circumvents this problem by encoding all '<'
> characters as '%3a'.  This works out quite nicely, since we also
> want a way to represent newlines in data values, we can just use
> %0a, and then a simple (and presumably somewhat fast) call to
> urldecode() is all that is needed to decode the values.

I do hope that PmWiki also encodes all % characters.
And that the encoding is done for everything (passwords, user agent 
strings, etc.) when the file is written.
:-)

Regards,
Jo




More information about the pmwiki-users mailing list