[pmwiki-users] Is a pagelist fmt supposed to be overridable via request=1?

Randy Brown randy at brownragfilms.com
Thu Nov 13 13:17:32 CST 2014


Excellent point about security. Parameters like "fmt#include" and "$:MySecretPTV=?*" could be problems. 

OTOH, request=1 can sometimes make it much easier to offer users options for pagelists. 

Note that setting pagelist parameters via the URL is a non-issue in cases of wikis that allow guests to edit any page at all, including WikiSandbox - since the guest can then write a malicious directive on the page directly.

Markup like the following could plug some anticipated security holes (requires the httpvariables recipe):

(:pagelist (:if ( !equal "{$?fmt}" "#ThisFmtAllowed" ) and ( !equal "{$?fmt}" "#AlsoAllowed" ) :)fmt=#default(:else:)request=1(:ifend:) :)

But that doesn't prevent something like "$:MySecretPTV=?*" from being submitted via the URL, since you may not know in advance what PTVs are hidden on pages that need to be protected.

Maybe someday request=1 can be expanded for security to allow request="order,list,trail,PTV,if" or whatever specific parameters you want to be overridable via the URL. Or maybe someone will think of a better solution.

Randy

> 
> It is not specifically forbidden but I'm not sure if it is desirable to 
> work. People may access to your pagelists in ways you didn't 
> specifically allow. Can this be a security issue? I don't know.
> 
> Does anyone rely on this feature working?
> 
> Petko
> 




More information about the pmwiki-users mailing list