[pmwiki-users] Re: Persistant Spam even with blocklist
Patrick R. Michaud
pmichaud at pobox.com
Mon Aug 29 10:49:52 CDT 2005
On Mon, Aug 29, 2005 at 10:36:38AM -0500, Wendell Brown wrote:
> Patrick, it looks like it's also possible to fool the text block by
> using encoded url's. Here is the code I'm going to add to MTBlackList
> to avoid this hole:
> $str = html_entity_decode( rawurldecode( $str ) );
> $str = preg_replace( "/&#([0-9]+);/e", "chr( \\1 )", $str );
> I don't know if you want to add something like that to BlackList2 or not.
If you mean that it's possible to fool the blocklists by using
character entitites in the text, the answer is likely "yes".
One thing to be aware of is that the replacement given above won't
work for multibyte character entities (e.g., things like "ὖ").
This is one reason why the urlapprove script can be somewhat better
than blocklists; with urlapprove the external links are blocked
regardless of any tricks or encodings the spammers may try to employ
(because they require explicit approval instead of explicit
> Patrick R. Michaud wrote:
> >On Mon, Aug 29, 2005 at 02:32:46PM +0000, Bob Atkins wrote:
> >>I know 1.0.11 is something of an old version, so there may be issues
> >>there. I don't think version 2 is out of beta yet, or if there will be an
> >>easy upgrade path.
> >In reviewing the 1.0.11 code it looks as though it's possible for
> >people to bypass the various blocklist recipe(s) by using
> >?action=post directly, which was left in for backwards compatibility
> >with previous versions of PmWiki.
> >Try adding the following to the very beginning of your config.php:
> > if ($action == 'post') $action='edit';
> >I think that should force all posts through the blocklist.
> >pmwiki-users mailing list
> >pmwiki-users at pmichaud.com
More information about the pmwiki-users