01275: pmwiki exit line missing from new xlpage-iso-8859-2.php script

Summary: pmwiki exit line missing from new xlpage-iso-8859-2.php script
Created: 2011-12-12 09:53
Status: Closed - fixed for 2.2.36
Category: Bug
From: JJ?
Priority: 5
Version: 2.2.35
OS: Solaris 10/Apache2/PHP 5.2.6

Description: While security scanning our instance of PmWiki, I found that the new xlpage-iso-8859-2.php script is missing the "if (!defined('PmWiki')) exit();" line at the top.

P.S. the old publish.php recipe is missing it too...i know its a recipe but we use it and others may so thought I would mention it.

P.S.S. I also think it may be good to add another issue Category of "Security".


For this specific file, there is absolutely no security breach if the file is accessed directly -- it will die at the first and only function call, SDVA(), everything else is defining variables. But, ok, this line will be added for the next version. --Petko December 12, 2011, at 04:29 PM

For a real security issue, we appreciate if we are contacted privately by e-mail so that we could fix it before the public disclosure. --Petko December 12, 2011, at 04:36 PM