[pmwiki-devel] [pmwiki-users] ZAP security vulnerability...

Kathryn Andersen kat_lists at katspace.homelinux.org
Tue May 1 21:19:11 CDT 2007

(Following up on pmwiki-devel)
On Tue, May 01, 2007 at 08:21:04PM -0500, Patrick R. Michaud wrote:
> All of this is just a way of saying that I think we need
> a different overall solution to the problem here -- i.e., 
> being able to bypass edit to write to *any* page is too 
> blunt an instrument for what we're trying to achieve.

Whatever happened to the "append" level of security that you were
considering as a solution to adding blogging/commenting capability to

One of the things that has bothered me about ZAP is not quite that
it bypasses PmWiki security(*), but that it has its own security
model that bypasses PmWiki security.  This concerns me for a few
different reasons:
(a) more complicated: there are two security systems
(b) uncertain: ZAP's security has had less testing
(c) is it necessary?

I know that security is complicated.  Even adding "append" security is
complicated.  And what does one do if one wants, say, for people to be
able to edit some parts of a page (like certain PTVs) and not others?
Though I guess that can be gotten around by splitting the content into
two pages.

(*)My own IncludeUpload bypasses PmWiki security, but I've made it quite
clear that it is not secure.

Kathryn Andersen
 _--_|\     | Kathryn Andersen	<http://www.katspace.com>
/      \    | 
\_.--.*/    | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/>
      v     | 
------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere
Maranatha!  |	-> Earth -> Sol -> Milky Way Galaxy -> Universe

More information about the pmwiki-devel mailing list