[Pmwiki-users] Re: hackers: Another good reason for authentication
Patrick R. Michaud
pmichaud
Fri Jun 18 14:26:19 CDT 2004
On Fri, Jun 18, 2004 at 05:03:25AM -0400, Crisses wrote:
> >* preventing external links (requiring admin to approve/disapprove
> >links
> >before they are allowed in the wikitext).
>
> I'd like this as an option. It seems like a very VERY strong security
> feature, if some more admin overhead.
I've written a module for this in PmWiki 2.0 that I'd like people to
test and play with -- http://www.pmwiki.org/devel/pmwiki.php.
Essentially there is a page called Main.ApprovedURLs that provides a
"whitelist" of URLs to be allowed on the wiki. Any http-URL that
begins with one of the urls in this list is automatically converted
to a link, all others are left as normal text.
In addition, the module adds the actions "?action=approveurls" and
"?action=approvesites". Thus, given a page that has a set of URLs
that are not currently whitelisted, one can execute one of these actions
to automatically add to the whitelist (Main.ApprovedURLs) any urls or
sites on the page that aren't already there.
I've left all of this open for testing purposes, in a real environment
one would likely password protect the ApprovedURLs page and the "?action="
capabilities.
It still has some minor problems -- if a site url is placed in the
whitelist then one can use an '@' to get past the whitelist (e.g.,
http://www.pmwiki.org@spamhost.com/). A future version will disallow
the '@' in this case. In addition, it might be nice if URLs that
didn't make the whitelist were visually represented somehow (and
perhaps automatically linked to the ?action=approveurls capability).
Comments, suggestions welcome.
Pm
More information about the pmwiki-users
mailing list