[pmwiki-users] Text variables & ZAP...

Patrick R. Michaud pmichaud at pobox.com
Thu Oct 12 21:46:07 CDT 2006


On Thu, Oct 12, 2006 at 06:22:28PM -0400, The Editor wrote:
> > > Also, can you just set the pattern in local config files for the
> > > actual pages calling the pagelist?
> >
> > Yes.
> 
> So I can set it for one page, and all the pages that are returned on
> the pagelist will be scanned through this pattern.  I'm actually quite
> a bit concerned about security on ZAP, as text variables make
> everything completely open.  Even in a protected comment box unless I
> try disabling the markup somehow.  What would you suggest to avoid a
> user entering somewhere:
> 
> {Profiles.AdminName{$:Password}}  (or whatever the correct syntax is)

In PmWiki's implementation of page text variables, a visitor cannot get
the {$:Password} value out of a read-protected page (unless the visitor
has already been given authorization to that page).

> > Easiest would be to use the same sort of code that PmWiki does to
> > read them -- see the PageTextVar() function for the way that PmWiki
> > manages the parse.
> 
> After looking awhile I finally found it in the stmarkup.php file.  

Umm, the PageTextVar() function is actually in pmwiki.php.

> Looking at the code, it seems to me that if you use
> 
> $PageTextVarPatterns[] = '/^(\\w+)="(.*?)"/m';
> 
> you invalidate all the existing patterns.  

No, in PHP the trailing "[]" means "add this value to the end of the
array".  Example:

    $xyz[] = 'alpha';
    $xyz[] = 'beta';
    $xyz[] = 'cherry';

    print count($xyz);              # outputs 3

So, the $PageTextVarPatterns[] line above is simply adding another
pattern into the $PageTextVarPatterns array.

Pm




More information about the pmwiki-users mailing list