[pmwiki-users] very subtle bug in blocklist2 script
Neil Herber
nospam at eton.ca
Sun Sep 11 11:04:04 CDT 2005
At 2005-09-11 10:39 AM -0500, Patrick R. Michaud is rumored to have said:
>On Sat, Sep 10, 2005 at 01:39:45AM -0400, Neil Herber wrote:
> > However, on a Windoze server, pages named "Blocklist" and BlockList"
> > (note cap "L") map to the same file. On my system the actual file
> > name was Blocklist, but I entered BlockList in the URL, which
> > retrieved the correct page, but failed on the page name match test
> > inside the Blocklist2 code.
> >
> > This can probably be fixed with a case-insensitive comparison.
>
>Perhaps not, because on Unix systems a case-insensitive comparison
>would mean that a spammer could enter any text desired on BlockList
>(with a capital 'L'), as well as "BLOCKLIST", "BlOCKLIST",
>"BlOcKlIsT", etc.
>
>(Granted, on post-beta44 versions these alternate pages would
>all be blocked against edits, so it's not an issue there, but
>for blocklists held in non-protected groups it could be
>an issue.)
>
>I don't have a quick solution to this problem. (Feel free to
>enter it in PITS.)
I don't think this needs to be a PITS issue because it only affects
Windoze server users who mistype the file name "Blocklist". The
current scheme does not allow a spammer to create a new "unblocked"
page. Perhaps just a warning on the cookbook page would be enough. It
is very puzzling when it happens the first time!
Neil
Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668
More information about the pmwiki-users
mailing list