[pmwiki-users] Security questions

[Patrick R. Michaud]

On Thu, Sep 28, 2006 at 01:39:41PM -0400, The Editor wrote:
> Just a couple questions.  Only one on security actually.
> 
> I'm wanting to dataproof form submissions to prevent harmful things
> from being posted to a page through a form.  I'm using WritePage to
> save the page, and was wondering if I needed any further precautions?
> I was wondering if the data is save in some kind of coded from to be
> unoperational, when it is retrieved and displayed in a page (through
> Readpage), is it decoded?  So that a malicious person might be able to
> introduce something into it?

WritePage/ReadPage are transparent to the caller -- whatever values 
you put in via WritePage are exactly what you get back from ReadPage.

Internally WritePage does encoding of values to make it easier
for ReadPage to parse the file, and also to avoid a potential
security problems if the files in wiki.d/ are directly accessible
via the web.  Example:  Suppose there's a page called "XYZ.PHP",
if the webserver can access it then any "<?" sequences in the file
would be treated as php code.  WritePage prevents this by encoding
any '<' in the file as '%3a'.  However, ReadPage converts the %3a's
back into '<', so that you get back the same value that was sent
to WritePage.

The upshot of this is that WritePage only makes sure the files in
wiki.d/ aren't easily exploited, but does nothing about any values
you may send to a browser.  For that you typically want to use
htmlspecialchars(...) around anything generated from user input.

> Secondly, can anyone explain the difference between [==] and [@@].  I
> need some kind of invisible delimiter for my logging functions and was
> thinking one or the other might be useful.

The difference is in the markup produced:  [=...=] produces exactly
what is inside the brackets, while [@...@] surrounds it with either 
<code> or <pre> depending on whether the enclosed text contains
newlines.

Pm