[pmwiki-users] Re: Re: Allowing password extraction from URI
Patrick R. Michaud
pmichaud at pobox.com
Mon Jul 25 10:05:58 CDT 2005
On Mon, Jul 25, 2005 at 04:20:36PM +0200, chr at home.se wrote:
> On Mon, 25 Jul 2005, Patrick R. Michaud wrote:
> > Thinking about this a bit more...I'm a little confused. Pmwiki-mode
> > must be already sending a number of fields along with its post request --
>
> Pmwiki-mode uses http-get, not http-post, when retrieving the source of a
> wiki page.
Oh, I forgot about this part. But I think you can use http-post to
retrieve the source markup without any problem -- just change the http-get
to an http-post and send the authpw control as the only component of
the post request. From PmWiki's perspective there's little difference
between http-get and http-post except when actually posting an edit.
Trying to get this to work with both v1 and v2 may be a bit tricky,
because v1 defaults to HTTP Basic authentication while PmWiki v2
defaults to session-based authentication. So, what you really want here
is to have pmwiki-mode send its requests using both authentication
mechanisms.
To summarize, have pmwiki-mode
- always use http-post requests
- send the username and password values as the 'authid' and 'authpw'
fields of the http-post
- send along an extra HTTP request header that provides the same
values in a form suitable for HTTP Basic authentication
The format of the HTTP Basic Authorization header is
Authorization: Basic <credentials>
where <credentials> is the username and password separated by a colon
and base64 encoded. As an example, if username "alice" is trying to
authorize using a password of "wonderland", the appropriate request
header would be
Authorization: Basic YWxpY2U6d29uZGVybGFuZA==
Here, "YWxpY2U6d29uZGVybGFuZA==" is the base64 encoding
of "alice:wonderland".
If you're able to this, then you'll have pretty good coverage of
v1 and v2 PmWiki installations, regardless of how individual sites
have passwords configured.
Pm
More information about the pmwiki-users
mailing list