[pmwiki-users] Is a pagelist fmt supposed to be overridable via request=1?
Randy Brown
randy at brownragfilms.com
Thu Nov 13 13:17:32 CST 2014
Excellent point about security. Parameters like "fmt#include" and "$:MySecretPTV=?*" could be problems.
OTOH, request=1 can sometimes make it much easier to offer users options for pagelists.
Note that setting pagelist parameters via the URL is a non-issue in cases of wikis that allow guests to edit any page at all, including WikiSandbox - since the guest can then write a malicious directive on the page directly.
Markup like the following could plug some anticipated security holes (requires the httpvariables recipe):
(:pagelist (:if ( !equal "{$?fmt}" "#ThisFmtAllowed" ) and ( !equal "{$?fmt}" "#AlsoAllowed" ) :)fmt=#default(:else:)request=1(:ifend:) :)
But that doesn't prevent something like "$:MySecretPTV=?*" from being submitted via the URL, since you may not know in advance what PTVs are hidden on pages that need to be protected.
Maybe someday request=1 can be expanded for security to allow request="order,list,trail,PTV,if" or whatever specific parameters you want to be overridable via the URL. Or maybe someone will think of a better solution.
Randy
>
> It is not specifically forbidden but I'm not sure if it is desirable to
> work. People may access to your pagelists in ways you didn't
> specifically allow. Can this be a security issue? I don't know.
>
> Does anyone rely on this feature working?
>
> Petko
>
More information about the pmwiki-users
mailing list