[pmwiki-users] Why all this zapping?

Patrick R. Michaud pmichaud at pobox.com
Tue May 1 12:42:43 CDT 2007 

On Tue, May 01, 2007 at 12:08:23PM -0400, The Editor wrote:
> On 5/1/07, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >I'm saying that if ZAP is enabled _anywhere_ on a site that allows
> >_any_ editing by an untrusted user, then the untrusted user
> >can use ZAP to modify any other page on the site, and likely
> >obtain the contents of otherwise read-protected pages.
> 
> How could they do that?  If ZAP is not enabled any ZAP form a person
> created would do absolutely nothing.  

I'll set up a demonstration site that illustrates it.  It'll
take just a bit of time as I want to clearly document it
so there's no question as to what I'm saying.

> It might be possible with the {(sectionlist)} markup cause that
> doesn't require a form submission, [...]

I'm talking about the zap.php file I downloaded yesterday
from the ZAP sites.  I'm not using anything but the core
ZAP markups.

> >> Also about the source markup expression...  If a page is blocked for
> >> reading, is it automatically blocked for source?  
> >
> >PmWiki doesn't have anything called 'source' permissions.  I think
> >you're confusing permissions here with ?action=source, and the
> >default permissions for ?action=source are indeed 'read' permission.
> >This is controlled by the setting of $HandleAuth['source']
> >(which defaults to 'read', meaning that read permissions are
> >required to view a page's source via ?action=source).
> 
> Well, I may have expressed myself unclearly but you can check if a
> person has access to view the source of a page with this code you gave
> me (it works!)
> 
> 	if (! CondAuth($p, $HandleAuth['source'])) return '';
> 
> My question was if a page was read protected but the source action was
> not blocked, could a person by pass the read permissions this way?  

You don't seem to have fully grokked my answer.  

The thing that controls ?action=source is $HandleAuth['source'], 
which defaults to 'read' permission.  Thus, placing a read password
on a page automatically blocks ?action=source for anyone who
doesn't have read permissions (unless the admin changes the
setting of $HandleAuth['source']).

For the conditional you've given above, $HandleAuth['source']
evaluates to 'read', thus it's equivalent to executing

    if (! CondAuth($p, 'read')) return '';

This says to return an empty string if the visitor hasn't established
read permissions to the page given by $p.

Pm

More information about the pmwiki-users mailing list