PmWeekly, April 2017

June 10, 2017, at 07:48 AM by Petko in Core, Cookbook (1 comments)

PmWiki activity in April 2017, notably the fix of a severe code injection vulnerability, discussions about the new mobile-friendly skin, and a future PHP incompatibility issue. It also resumes the discussions about and changes to Cookbook recipes.

Version 2.2.96 (2017-04-05) and 2.2.97 (2017-04-07) released - fix for code injection vulnerability

The release notes for the version are included here:

These versions fix a severe PHP code injection vulnerability, reported by Gabriel Margiani. PmWiki versions 2.2.56 to 2.2.95 are concerned.

Only certain local customizations enable the vulnerability. Your website may be at risk if your local configuration or recipes call too early some core functions like CondAuth(), RetrievePageName() or FmtPageName(), before the $pagename variable is sanitized by ResolvePageName() in stdconfig.php. A specific URL launched by a malicious visitor may trigger the vulnerability.

Most recipes call core functions from a $HandleActions function, or from a Markup expression rule, these do not appear to be affected by the current exploit.

If your wiki may be at risk, it is recommended to upgrade to version 2.2.96 or most recent at the earliest opportunity. If you cannot immediately upgrade, you should place the following line in your local (farm)config.php file:

  $pagename = preg_replace('![${}\'"\\\\]+!', '', $pagename);

Place this line near the top of the file but after you include scripts/xlpage-utf-8.php or other character encoding file.

This version filters the $pagename variable to exclude certain characters. A new variable $pagename_unfiltered is added in case a recipe requires the previous behavior. The documentation was updated.

(Version 2.2.97 fixed a bug with $ScriptUrl introduced in 2.2.96.)

Discussions about a new "responsive" core skin

A responsive (mobile-friendly) skin was added in Subversion for the core, based on an earlier 2016 skin, and a discussion started on the mailing list and on the Issue Tracking system.

The original announcement to the mailing list is here (including changes from the 2016 skin).

The following discussion was split between the mailing list and the Issue Tracking System. After input from other users and admins, the skin was improved in order to be included from the version 2.2.98.

The new skin is NOT enabled by default in the default installation, but it is now enabled it on the pmwiki.org website so that more people can test it and report any problems. You can see the new skin on the PmWiki.org website: open it in a mobile device, or even resize your desktop browser to a narrow window. If you want to install the skin on your own wiki, you can download the latest/current version here: pmwiki-responsive.zip.

Code review about future PHP 7.2 compatibility issues

A few years back, we upgraded the core and many recipes to work with PHP version 5.5 and newer, as one function became deprecated and later removed (preg_replace with evaluation). Unfortunately, we fell back to another PHP function that will also become deprecated from PHP 7.2 (create_function). So we have to once again adapt the PmWiki markup processor, document it and update all modules/recipes.

I've made a review of the possible solutions, and the relatively easy one requires we drop support for old versions of PHP<5.3.

Currently PmWiki supports PHP version 4.3 and newer, and our server still runs PHP 5.2. Adapting the markup engine to support PHP 5.2 and older will make the code somewhat scattered and harder to study and maintain. So I've e-mailed my review to Pm and while I'll keep searching for a solution, he may find a better one (waiting for his reply).

BTW, even the "easy" solution will require more than 100 changes in the core; many times for recipes. :-/

Cookbook (addons, modules, skins)

The following cookbook recipes were updated:

  • PkTemplate (Easily create multiple pages from a user-supplied template) by PeterKay : Markup text displayed at bottom of page now honors $ROEPatterns, so user sees what they would see if they edited the page. PkTemplate markup now runs "<_begin" so that (almost all) markup will actually be included in the template, including [=comments=], etc.

  • Highslide (A recipe that enables you to use the Highslide JS application in your wiki.) by SlavomirD? : Update for PHP 5.5 preg_replace() compatibility.

  • CodeMirror (An enhanced page editor for PmWiki) by Dfaure : Fixed source code highlighting for composite highlighters (php, html,...). The computed configuration file should be regenerated.

Discussions on talk pages or on the mailing list:

  • Flash-Talk (Embedding Flash movies; plus recipes for embedding Flash from specific sites like YouTube, Vimeo, GoogleVideo, Flickr, Archive.org, and more...) by rigo : Update for PHP 5.5 preg_replace() compatibility.

  • Video5-Talk (HTML5 Video Support for PmWiki) by matthiasd? : A bug report about missing backgrounds for second and subsequent videos.

1 comments on "PmWeekly, April 2017"

  • CarlosAB: 2017-07-16 12:23 -0500
    I think that 'anonymous functions' would be good to solve the problem with create_function and I wonder if it would be a problem when used as a get pararameter.

Leave a reply
Your name (required):

Your comment (required):


Enter value: Captcha