[pmwiki-users] RSS Security issue
crisses at kinhost.org
Sun Apr 17 10:04:17 CDT 2005
On Apr 17, 2005, at 9:57 AM, Patrick R. Michaud wrote:
> On Sun, Apr 17, 2005 at 05:55:24AM -0400, Crisses wrote:
>> When I have RSS enabled and Main/Blocklist is in the RecentChanges
>> page, but is edit & read passworded, it still shows up in the RSS
>> ie http://www.kinhost.org/wiki/Main/RecentChanges?action=rss
>> This page is passworded via /local/Main.Blocklist.php
> It's not possible to read-protect pages/groups via the per-page
> (or per-group) customizations, because those customizations aren't
> loaded when you aren't accessing that page directly.
> In this case, since you're accessing Main.RecentChanges,
> local/Main.Blocklist.php isn't being loaded and so the page
> appears unprotected.
> Page and group passwords should always be done through ?action=attr.
Ok -- I understand that. That causes an issue of it's own: I did it
that way because I have been deleting and remaking the page so often, I
was afraid that I would forget to renew the attribute changes. (let's
say the webservers I am running on are on the antiquated side and deal
poorly with the large diffs. I occasionally alphabetize the blocklist,
which has over 1800 entries, and renew the page so diffs don't go
nuts.) It happened at least once, though I doubt the vandals noticed.
Also, I could set it both ways.
So, to come at this from another angle: Is there a way to omit
Main.Blocklist from showing up on the RecentChanges page? I realize
there are other ways to get to it in PmWiki, but I would rather it not
go out into the rss feeds in any case. ;)
(Turn around...) Every now and then I get a little bit restless and I
dream of something wild
(Turn around...) Every now and then I get a little bit helpless and I'm
lying like a child in your arms
(Turn around...) Every now and then I get a little bit angry and I know
I've got to get out and cry
(Turn around...) Every now and then I get a little bit terrified but
then I see the look in your eyes
-- Bonnie Tyler, Total Eclipse of the Heart
More information about the pmwiki-users