[pmwiki-users] very subtle bug in blocklist2 script
jo at durchholz.org
Sun Sep 11 11:49:40 CDT 2005
Neil Herber wrote:
> At 2005-09-11 10:39 AM -0500, Patrick R. Michaud is rumored to have said:
>> On Sat, Sep 10, 2005 at 01:39:45AM -0400, Neil Herber wrote:
>> > However, on a Windoze server, pages named "Blocklist" and BlockList"
>> > (note cap "L") map to the same file. On my system the actual file
>> > name was Blocklist, but I entered BlockList in the URL, which
>> > retrieved the correct page, but failed on the page name match test
>> > inside the Blocklist2 code.
>> > This can probably be fixed with a case-insensitive comparison.
>> Perhaps not, because on Unix systems a case-insensitive comparison
>> would mean that a spammer could enter any text desired on BlockList
>> (with a capital 'L'), as well as "BLOCKLIST", "BlOCKLIST",
>> "BlOcKlIsT", etc.
>> (Granted, on post-beta44 versions these alternate pages would
>> all be blocked against edits, so it's not an issue there, but
>> for blocklists held in non-protected groups it could be
>> an issue.)
>> I don't have a quick solution to this problem. (Feel free to
>> enter it in PITS.)
> I don't think this needs to be a PITS issue because it only affects
> Windoze server users who mistype the file name "Blocklist". The current
> scheme does not allow a spammer to create a new "unblocked" page.
> Perhaps just a warning on the cookbook page would be enough. It is very
> puzzling when it happens the first time!
Maybe PmWiki itself should make all page/file names case-insensitive.
E.g. use just lowercase filenames, and store the "canonical" pagename
inside the file.
Just my 2c.
More information about the pmwiki-users