[pmwiki-users] Security/information leak in PmWIki
Patrick R. Michaud
pmichaud at pobox.com
Thu Feb 17 22:19:59 CST 2005
On Thu, Feb 17, 2005 at 08:52:51PM -0500, Neil Herber wrote:
> This did not work .... but this did:
>
> if (strncmp($pagename, 'Private', 7) != 0) {
>
> I have no idea why. :-/
...because the group+page separator can be either a dot or a slash, and
with $EnablePathInfo=1; it will tend to be a slash instead of a dot.
I should probably adjust the code to automatically convert any slashes
in $pagename to dots.
The above will work except that any group beginning with 'Private'
(e.g., 'PrivateRyan') will see the Private.* pages in result listings.
Pm
More information about the pmwiki-users
mailing list