[pmwiki-users] read password information leak
Patrick R. Michaud
pmichaud at pobox.com
Mon Mar 7 12:14:42 CST 2005
On Mon, Mar 07, 2005 at 12:58:52PM -0500, Neil Herber wrote:
> At 2005-03-07 11:51 AM -0600, Patrick R. Michaud is rumored to have said:
> >On Mon, Mar 07, 2005 at 12:29:47PM -0500, Neil Herber wrote:
> >> The read password does not appear to suppress protected pagenames or
> >> groupnames for "action=refcount".
> >
> How can I restrict the refcount action to me alone? Note that I have been
> logged in via Apache .htpasswd, so I suspect I need something like the
> following in local/config.php:
>
> if (@$_SERVER['REMOTE_USER'] == 'Neil' ... (magical PHP code
> added here)
Replace your existing include of refcount.php with:
if (@$_SERVER['REMOTE_USER'] == 'Neil')
include_once('scripts/refcount.php');
> All wand-waving appreciated.
*wave* :-)
> Or is it possible to have a farm wide "refcount action" password as there
> can be for other actions? That might be a cleaner solution.
if ($action == 'refcount' && RetrieveAuthPage($pagename, 'admin'))
include_once('scripts/refcount.php');
Pm
More information about the pmwiki-users
mailing list