[pmwiki-users] Security/information leak in PmWIki
Patrick R. Michaud
pmichaud at pobox.com
Thu Feb 17 16:02:18 CST 2005
On Thu, Feb 17, 2005 at 04:15:42PM -0500, Neil Herber wrote:
> At 2005-02-17 01:51 PM -0600, Patrick R. Michaud is rumored to have said:
> >> > $SearchPatterns['default'][] = '!^Private\.!';
> >> > $SearchPatterns['all'][] = '!^Private\.!';
> >> > $SearchPatterns['normal'][] = '!^Private\.!';
> > ..... snip ...
> >Yes, the search killers need to be global (local/config.php in the field)
> >to be effective.
>
> One unexpected side effect of this code is that the (:pagelist:) markup no
> longer lists the Private pages. That is fine outside the Private group, but
> it would be convenient if it worked inside the Private group. Not a show
> stopper, and much better than having the names exposed.
Change your config.php to read:
if (strncmp($pagename, 'Private.', 8) != 0) {
$SearchPatterns['default'][] = '!^Private\.!';
$SearchPatterns['all'][] = '!^Private\.!';
$SearchPatterns['normal'][] = '!^Private\.!';
}
This excludes the Private group from searches only if you're not
already in the Private group. :-)
> At first I thought there was a far bigger leak provided by the (:include:)
> directive because (:include Private.Budgets:) displayed the entire budget
> page. However, it only displays if the user already has read permission.
> Without read permission, nothing shows up from the included page. Well done!
Thanks. I have tried to keep the contents of protected pages protected;
the ability to find pages (and deduce their contents via searches) has
been a known item that wasn't until now deemed important enough to worry
about.
I think there's also a PITS entry somewhere about creating a (:cloak:)
directive or way of indicating that pages/groups should be normally
invisible in searches/listings.
Pm
More information about the pmwiki-users
mailing list