[pmwiki-users] Infected Cookbook Recipes?

Sandy sandy at onebit.ca
Mon Sep 22 12:17:59 CDT 2008

kirpi at kirpi.it wrote:
> While I see pmwiki site under spam attack, and after having restored a
> couple of web pages, I'm troubling myself with the following
> (dreadful) thought: is there a sort of security
> lock/code/flag/hash/signature/whatever allowing people to trust
> (somehow) the recipes the community upload/download and let run inside
> its servers?

Valid concern, although I don't know how tempting a target we are.

A Two-part Solution:

First, Maintainers and/or watchers monitor their recipe pages with 
Notify. Many already do this. Yes, they'd have to password their 
watchlist. (Anyone knowlegable enough to infect a recipe would know how 
to edit a watchlist.)

Second, Watch for Uploads. There are some 3rd party recipes that do this 
already, but I don't know how they work. It might be easiest to say that 
an upload counts as changing all pages that reference it, which then 
triggers Notify. If you get notified of a change you didn't make,...

This method still puts the onus on the page maintainer(s), but it 
requires no more work than they already do when they volunteer to watch 
and/or maintain a page. For legitimate updates, they get an email saying 
something they already know (and maybe some other watchers sending them 
email to double-check).

It fails when a recipe doesn't have a maintainer and/or watcher.


More information about the pmwiki-users mailing list