[pmwiki-users] Upload protection not working

Petko Yotov 5ko at 5ko.fr
Wed Jun 8 03:20:55 CDT 2016


On 2016-06-08 06:04, Christopher Cox wrote:
> Behold the culprit:
> 
> $EnableUploadGroupAuth=1;
> 
> That creates the security hole.

Here is the documented variable, unset by default, so it was certainly 
enabled by your wiki-administrator:

   http://www.pmwiki.org/UploadVariables#EnableUploadGroupAuth

People have argued that this prevents a larger security hole.

Without this variable, when you have a protected group, and a single 
unprotected page, any file uploaded to the group can be downloaded with 
a URL containing the unprotected page.

The other way around is even worse: with per-group directories, any file 
can be downloaded from the page with least restricted permissions: if 
the group is unprotected but you have a single protected page, all files 
can be downloaded from any other page of that group, even pages that 
don't exist.

See http://www.pmwiki.org/wiki/Cookbook/SecureAttachments (section Note 
about security) and http://www.pmwiki.org/wiki/PITS/01104 (Protection of 
per-group attachments is done per-page instead of per-group).

With the default per-group uploads but per-page passwords, I don't think 
there is a better solution -- any suggestions will be welcome.

Or, if this can be better documented, please do it.

Petko



More information about the pmwiki-users mailing list