[pmwiki-devel] Security issues: Disabling action=source & action=diff?

Crisses crisses at kinhost.org
Tue Dec 5 08:36:05 CST 2006

Now that some recipes are possibly storing data invisibly in the  
PmWiki source of a page, should we have a standard "disable public  
view of source" (and history?) option in the config.php file?

I note that I can look at cookbook stuff on PmWiki.org, and the "see  
it in action at..." then even if I can't edit to view the example  
source, I can type &action=source into the browser, and there it is....

[A closed edit site, close to my heart :) ]  http://eclectictech.net/? 

Obviously I'm doing it from the PmWiki developer point of view, out  
of a curiosity of "How can I improve my sites?" and "How did they DO!  
that?" but others may do it from the "How can I hack sites?" point of  
view, so I would think some people would want to (or NEED to) limit  
others viewing PmWiki source code.

I think this should be listed somewhere in a list of items that new  
installs should review for security purposes.  I'm seeing people  
"just installing" PmWiki without knowing that their site is  
vulnerable to vandals, for example.  Maybe a pointer to an  
installation review checklist should be on the Installation page?

Yeah, yeah, "that sounds like the voice of a volunteer" ;)  I'd be  
glad to kick it off, but either tell or remind me how to disable  
these actions --> can we tie them in to authentication levels?  Like  
you can only view source if you can edit the page?

Then I can start off a link from the Installation instructions to a  
page of "Recommended security procedures" (a list of items with brief  
descriptions) that then link to relevant information for  
implementation on each item.

Anyone against this?  For it?  Want to help?  Want to do it instead? :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-devel/attachments/20061205/56369937/attachment.html 

More information about the pmwiki-devel mailing list