01417: Debate security warning in ConditionalMarkup

Summary: Debate security warning in ConditionalMarkup
Created: 2017-07-18 20:01
Status: Closed - documentation updated
Category: Documentation
From: Sven
Priority: 3
Version: live
OS: pmwiki.org


Posting here as to not disturb the FAQ style of the discussion page for PmWiki:ConditionalMarkup. Let's discuss here what our goals are for the warning hint, and what to write thus.
I believe ccox's diff on 2017-06-29 was meant to help, but I'm afraid the new wording doesn't convey the variety of possible methods for retrieving hidden content.

While it sounds about right that "conditional markup can be effectively used to control the browsing of content using conditionals", for me as a security researcher the first obvious alarm bells are (1) "can be … used" – how? – and (2) the restriction to "browsing", even though it probably wasn't meant as such. Especially in combination with a hint to action protection, I can imagine readers being mislead to think their secrets in ReadOnly.Secrets? are secure as long as the (farm) config enforces $GLOBALS['action'] = 'browse'; for the ReadOnly.* group. Removing the hint about inclusion from other pages doesn't help readers realize that page permissions of pages other than the secrets page are important.

My intent is to warn wiki admins that if they grant ANY page permissions (read, edit, attr), users will probably be able to obtain page fragments, and it takes special effort to change this. Trying to hide secret content with Conditional Markup is insecure by default – security via Conditional Markup is the exception and is fragile as it depends on many circumstances that may change unexpectedly. To my understanding, the proper way to protect secrets in a wiki page is to restrict ALL of its page permissions to those users who are allowed to know the secrets.
Sven July 18, 2017, at 08:49 PM

Thanks, it is indeed possible to protect content this way but not in the default installation and only after considerable work. I've updated the entry, feel free to improve it further (in a concise manner; if it requires a long explanation, such can be included in a section below that table, or in a cookbook page). --Petko July 18, 2017, at 10:59 PM

I moved the details to Passwords#condmarkup-secrets since there already was an FAQ entry about ConditionalMarkup. — Sven July 19, 2017, at 07:39 AM

Thanks; I wonder if Passwords is a better place than ConditionalMarkup for this FAQ. --Petko July 24, 2017, at 04:15 PM

I do think Passwords is a better place for a security warning: Passwords and security are truly related, a link created by PmWiki's code. In comparison, conditional markup and security are linked only by a misconception, which may or may not exist in a reader's head.
In regards to your demo page Test.CondAuthNotLocked, I'd rather not have the FUD claim reproduced in red box on an admin-locked page that looks like documentation.
Sven August 05, 2017, at 01:05 PM

Thanks, removed. --Petko