[pmwiki-users] Re: Re: Allowing password extraction from URI

Patrick R. Michaud pmichaud at pobox.com
Mon Jul 25 10:05:58 CDT 2005


On Mon, Jul 25, 2005 at 04:20:36PM +0200, chr at home.se wrote:
> On Mon, 25 Jul 2005, Patrick R. Michaud wrote:
> > Thinking about this a bit more...I'm a little confused.  Pmwiki-mode
> > must be already sending a number of fields along with its post request --
> 
> Pmwiki-mode uses http-get, not http-post, when retrieving the source of a
> wiki page. 

Oh, I forgot about this part.  But I think you can use http-post to
retrieve the source markup without any problem -- just change the http-get
to an http-post and send the authpw control as the only component of
the post request.  From PmWiki's perspective there's little difference
between http-get and http-post except when actually posting an edit.

Trying to get this to work with both v1 and v2 may be a bit tricky,
because v1 defaults to HTTP Basic authentication while PmWiki v2
defaults to session-based authentication.  So, what you really want here
is to have pmwiki-mode send its requests using both authentication
mechanisms.  

To summarize, have pmwiki-mode 
  - always use http-post requests
  - send the username and password values as the 'authid' and 'authpw'
    fields of the http-post
  - send along an extra HTTP request header that provides the same
    values in a form suitable for HTTP Basic authentication

The format of the HTTP Basic Authorization header is

    Authorization: Basic <credentials>

where <credentials> is the username and password separated by a colon
and base64 encoded.  As an example, if username "alice" is trying to
authorize using a password of "wonderland", the appropriate request
header would be

    Authorization: Basic YWxpY2U6d29uZGVybGFuZA==

Here, "YWxpY2U6d29uZGVybGFuZA==" is the base64 encoding 
of "alice:wonderland".

If you're able to this, then you'll have pretty good coverage of 
v1 and v2 PmWiki installations, regardless of how individual sites
have passwords configured.

Pm




More information about the pmwiki-users mailing list