[pmwiki-users] Text variables & ZAP...
Patrick R. Michaud
pmichaud at pobox.com
Thu Oct 12 21:46:07 CDT 2006
On Thu, Oct 12, 2006 at 06:22:28PM -0400, The Editor wrote:
> > > Also, can you just set the pattern in local config files for the
> > > actual pages calling the pagelist?
> >
> > Yes.
>
> So I can set it for one page, and all the pages that are returned on
> the pagelist will be scanned through this pattern. I'm actually quite
> a bit concerned about security on ZAP, as text variables make
> everything completely open. Even in a protected comment box unless I
> try disabling the markup somehow. What would you suggest to avoid a
> user entering somewhere:
>
> {Profiles.AdminName{$:Password}} (or whatever the correct syntax is)
In PmWiki's implementation of page text variables, a visitor cannot get
the {$:Password} value out of a read-protected page (unless the visitor
has already been given authorization to that page).
> > Easiest would be to use the same sort of code that PmWiki does to
> > read them -- see the PageTextVar() function for the way that PmWiki
> > manages the parse.
>
> After looking awhile I finally found it in the stmarkup.php file.
Umm, the PageTextVar() function is actually in pmwiki.php.
> Looking at the code, it seems to me that if you use
>
> $PageTextVarPatterns[] = '/^(\\w+)="(.*?)"/m';
>
> you invalidate all the existing patterns.
No, in PHP the trailing "[]" means "add this value to the end of the
array". Example:
$xyz[] = 'alpha';
$xyz[] = 'beta';
$xyz[] = 'cherry';
print count($xyz); # outputs 3
So, the $PageTextVarPatterns[] line above is simply adding another
pattern into the $PageTextVarPatterns array.
Pm
More information about the pmwiki-users
mailing list