[pmwiki-users] Upload protection not working

ccox@endlessnow.com ccox at endlessnow.com
Mon Jun 6 20:15:16 CDT 2016


I'm going to try a fresh install.  This is in an owned private centos 7 box.

Sent on the new Sprint Network

----- Reply message -----
From: "Patrick R. Michaud" <pmichaud at pobox.com>
To: "ccox at endlessnow.com" <ccox at endlessnow.com>
Cc: "pmwiki-users" <pmwiki-users at pmichaud.com>
Subject: [pmwiki-users] Upload protection not working
Date: Mon, Jun 6, 2016 8:12 PM

I'm a bit stumped.

Grasping at some straws:

1.  Change the name of "directors.jpg" to something else and see if
that fixes anything.  (Perhaps the url result itself has been cached 
somewhere?  I've had this happen to me and then spent hours/days trying 
to figure it out, when it turned out my ISP was caching things and
ignoring cache-control headers.)

2.  farmconfig.php ?

3.  Try a different group and page and see if the problem persists ?

4.  Try a fresh pmwiki.php install, with only the upload-related variables set?

Pm


On Mon, Jun 06, 2016 at 06:23:36PM -0500, ccox at endlessnow.com wrote:
>    If I remove the download parm I get the login page.  I don't have any
>    other php involved.
>    Sent on the new Sprint Network
>    ----- Reply message -----
>    From: "Patrick R. Michaud" <pmichaud at pobox.com>
>    To: <ccox at endlessnow.com>
>    Cc: <pmwiki-users at pmichaud.com>
>    Subject: [pmwiki-users] Upload protection not working
>    Date: Mon, Jun 6, 2016 6:14 PM
> 
> Out of curiosity, what happens if you attempt to access the page
> via incognito mode or equivalent?  I'm wondering if somehow you're
> obtaining authorization through another path... e.g., perhaps an
> admin authorization that has been cached somewhere.
> 
> Also, what happens if you remove the "?action=download" portion?
> Do you get something denying immediate access to the Test/Directors
> page (e.g., an authentication prompt), or do you see the page itself?
> If the latter, then authorization isn't being blocked for some reason
> unrelated to uploads/downloads.
> 
> Lastly, is there anything the Test.php (group config) that might be
> throwing off the authorization stuff?
> 
> Pm
> 
> 
> 
> On Mon, Jun 06, 2016 at 05:46:30PM -0500, ccox at endlessnow.com wrote:
> > So I stripped out AuthUser as well and set a simple password on page and I
> > can still get to the attachment using:
> >
> > [1]https://www.example.com/Test/Directors?action=download&upname=directors.jpg
> >
> > My config.php attached.
> >
> >
> > > I've stripped my config.php down to just my AuthUser ldap stuff.. with per
> > > page uploads defined and I can get to the attachment even though I don't
> > > have read permissions for the page.
> > >
> > >
> > > I know it's asking a lot, but is it possible to do a test with AuthUser
> > > involved?  I'm using ldap but I know that's probably harder to do.
> > >
> > > Let me know if you want my config.php (devoid of comments), etc.
> > >
> > >
> > >> It works as expected on pmwiki.org:
> > >>
> > >>
> > >> [2]http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&u
> pname=pmwiki-32.gif
> > >>
> > >> If you have per-group uploads and want to protect a file, there is no
> > >> interest to protect a single page - a visitor can download the file from
> > >> another, unprotected page. In this case PmWiki will require "read"
> > >> permissions for the whole group, which you set in
> > >> GroupAttributes?action=attr.
> > >>
> > >> If you have per-page uploads, PmWiki requires "read" permissions for the
> > >> page.
> > >>
> > >> "upload" permissions are only required for people to upload files, not
> > >> to download them. To download them they need "read" permissions.
> > >>
> > >> Petko
> > >>
> > >> ---
> > >> Change log     :  [3]http://www.pmwiki.org/wiki/PmWiki/ChangeLog
> > >> Release notes  :  [4]http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
> > >> If you upgrade :  [5]http://www.pmwiki.org/wiki/PmWiki/Upgrades
> > >>
> > >>
> > >> On 2016-06-06 21:44, ccox at endlessnow.com wrote:
> > >>> Consider the following url.  I have direct downloads disable and
> > >>> htaccess
> > >>> is blocking the uploads area.  So, attachments to get translated like
> > >>> so:
> > >>>
> > >>> [6]https://www.example.com/Test/Directors?action=download&upname=directors
> .jpg
> > >>>
> > >>> However, I have protected read, edit, attr and upload for the page
> > >>> Test/Directors.. and I can still get to the content.
> > >>>
> > >>> Do I have to protect the group instead?  Perhaps I need to go to per
> > >>> page
> > >>> uploads? Would that fix things?
> > >>
> > >> _______________________________________________
> > >> pmwiki-users mailing list
> > >> pmwiki-users at pmichaud.com
> > >> [7]http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> > >>
> > >
> > >
> > >
> > > _______________________________________________
> > > pmwiki-users mailing list
> > > pmwiki-users at pmichaud.com
> > > [8]http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> > >
> 
> > $WikiTitle = 'Agora';
> > $ScriptUrl = '[9]https://'.$_SERVER['HTTP_HOST'];
> > $PubDirUrl = '[10]https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';
> > $EnablePathInfo = 1;
> > $PageLogoUrl = "$PubDirUrl/skins/pmwiki/skopos-small.png";
> > $DefaultPasswords['admin'] = array(pmcrypt('secret'), '@admins');
> > $HandleAuth['diff'] = 'edit';
> > $DefaultPasswords['edit'] = 'id:*';
> > $Author = $AuthId;
> > include_once("scripts/xlpage-utf-8.php");
> > $EnableGUIButtons = 1;
> > include_once("scripts/creole.php");
> > $EnableUpload = 1;
> > $DefaultPasswords['upload'] = 'id:*';
> > $EnableDirectDownload=0;
> > $EnableUploadGroupAuth=1;
> > $UploadPrefixFmt = '/$Group/$Name';
> > $EnablePageListProtect = 1;
> > if ($action == 'refcount') include_once("scripts/refcount.php");
> > if ($action == 'rss')  include_once("scripts/feeds.php");  # RSS 2.0
> > if ($action == 'atom') include_once("scripts/feeds.php");  # Atom 1.0
> > if ($action == 'dc')   include_once("scripts/feeds.php");  # Dublin Core
> > if ($action == 'rdf')  include_once("scripts/feeds.php");  # RSS 1.0
> > $AutoCreate['/^Category\\./'] = array('ctime' => $Now);
> > Markup("'~", "inline", "/'~(.*?)~'/", "<i>$1</i>");        # '~italic~'
> > Markup("'*", "inline", "/'\\*(.*?)\\*'/", "<b>$1</b>");    # '*bold*'
> 
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > [11]http://www.pmichaud.com/mailman/listinfo/pmwiki-users
> 
> References
> 
>    1. https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>    2. http://www.pmwiki.org/wiki/TestProtected/TestProtected?action=download&upname=pmwiki-32.gif
>    3. http://www.pmwiki.org/wiki/PmWiki/ChangeLog
>    4. http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
>    5. http://www.pmwiki.org/wiki/PmWiki/Upgrades
>    6. https://www.example.com/Test/Directors?action=download&upname=directors.jpg
>    7. http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>    8. http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>    9. https://'.$_SERVER['HTTP_HOST'];/
>   10. https://'.$_SERVER['HTTP_HOST'].'/pmwiki/pub';
>   11. http://www.pmichaud.com/mailman/listinfo/pmwiki-users

> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20160606/f0527c05/attachment.html>


More information about the pmwiki-users mailing list