[pmwiki-users] pruning by version (was pruning page histories)

Russ Fink russfink at hotmail.com
Fri Jan 28 09:23:52 CST 2005


>From: "Patrick R. Michaud" <pmichaud at pobox.com>
>On Fri, Jan 28, 2005 at 09:32:15AM -0500, Russ Fink wrote:
> > [Giving Menachem some additional "press,"] this is probably the more
> > relevant question, is there a way to keep only a set number of revisions 
>of
> > a file, independent of date?  If not, is it easy to build that in?
> > DiffKeepRevs?
>
>It wouldn't be hard to build that in, but this would make it
>possible for someone to make edits to a page that aren't easily restored/
>reversed.  For example, if $DiffKeepRevs=10, then a malicious author
>can just edit the page ten times in rapid succession to cause the
>history to fall off the end of the page such that "Restore" is no
>longer available.

Good point and I concur.  The problem is satisfying two customers, first 
keeping site kruft to a minimum, but OTOH being able to recover from 
malicious edits.

One possible solution is a union heuristic, "if revision older than 
DiffKeepDays AND this revision number greater than DiffKeepRevs, then prune 
it."  This should cover:
* pages with highly infrequent edits (1/month or so).
* pages with malicious edits (your "revision smashing" example above)
* pages with frequent edits

For instance, if DiffKeepDays = 30 and DiffKeepRevs = 5, then a 4th edit to 
a file can live for years and years for one page, and someone doing revision 
smashing attacks on another page will only be effective if the admin doesn't 
notice for 30 days.

Honestly, I haven't read the code so I can't say how hard it would be to 
implement.

Russ





More information about the pmwiki-users mailing list