[pmwiki-announce] How to patch an older version of PmWiki

Petko Yotov 5ko at 5ko.fr
Sat Nov 12 04:20:07 CST 2011 

Hello. PmWiki version 2.2.35 released yesterday fixed a serious security bug 
which affected many older PmWiki versions since 2005. The bug was reported by 
Egidio Romano. If you can, you should upgrade to the latest version (read the 
release notes and do backups before).

In case you cannot upgrade to the most recent version 2.2.35, this message 
explains how you can correct your pagelist.php file from an old version.

The operation will add a line in the function MakePageList(), a command which 
will remove unwanted characters from the 'order' parameter of pagelists or 
searches.

How to know which PmWiki version you have
-----------------------------------------

Your current version appears on the page [[PmWiki.PmWiki]] on your wiki.

Alternatively, you can write in a wiki sandbox the variable {$Version} and 
save the page: your PmWiki version will be shown in the place of {$Version}.

Alternatively, look into the file pmwiki/scripts/version.php.


PmWiki 2.0.beta33 to 2.0.beta55, 2.0.0 to 2.0.13, 2.1.beta1 to 2.1.beta14
-------------------------------------------------------------------------

Open the file pmwiki/scipts/pagelist.php and search for the line:

   function MakePageList($pagename, $opt) {

After this line, insert a new line:

  $opt['order'] = preg_replace('/[^-\\w:$]+/', ',', @$opt['order']);
  
Save the file and send it to your server.


PmWiki 2.1.beta15 to 2.1.beta38, 2.1.0 to 2.1.27, any 2.2.betaX, 2.2.X<2.2.35
-----------------------------------------------------------------------------

Open the file pmwiki/scipts/pagelist.php and search for the line:

  function MakePageList($pagename, $opt, $retpages = 1) {

After this line, insert a new line:

  $opt['order'] = preg_replace('/[^-\\w:$]+/', ',', @$opt['order']);
  
Save the file and send it to your server.

-----------------------------------------------------------------------------

After fixing the pagelist.php script, you can re-enable searches and 
pagelists. If you have added to config.php, as previously suggested:

  $EnablePageList = 0;           # -and/or-
  if ($action == 'search') $action = 'browse';

you can now remove them.

Petko

More information about the pmwiki-announce mailing list