[Pmwiki-users] New version no upload directives available for testing here
Patrick R. Michaud
pmichaud
Thu Jan 29 20:10:58 CST 2004
On Thu, Jan 29, 2004 at 11:19:28PM +0100, Christian Ridderstr?m wrote:
>
> AFAIK, the only problem right now is that 'security' can be bypassed, e.g.
> it's possible to list the files in another directory and there's no check
> if this is allowed.
>
> Patrick, I can put this up as a cookbook extension, or you can have a
> look at it and see if it should go into 0.6.
I'm probably going to leave this particular feature as a cookbook
extension. Speaking from experience as a system administrator, I'm
very wary of anything that allows anonymous web users to specify
paths directly into my filesystem--and the elimination of the '/'
character in attachment names is a reasonable safeguard against that.
This isn't a criticism of the code or the module itself--I'm just
looking at it from a "PmWiki acceptability" perspective.
(As an aside, even Apache receives my trust only because I know
how many sites and reviewers there are for the code. I'm much more
suspicious of other web-server software because it's so easy to
forget a special case.)
> PS. The new directives now also allow non-english characters in the
> filenames and directories.
Hmmm, I'm wondering what you had to do to achieve this, and if it would
help in configuring PmWiki to have non-ASCII characters in page names...?
Can you send me a couple of pointers/tips?
Pm
More information about the pmwiki-users
mailing list