[pmwiki-users] PmWiki security vulnerability (pmwiki-2.1.21 released)

Patrick R. Michaud pmichaud at pobox.com
Wed Sep 6 13:30:14 CDT 2006


On Wed, Sep 06, 2006 at 10:11:05AM -0700, Menachem Shapiro wrote:
> On 9/5/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> >    if (ini_get('register_globals'))
> >      foreach($_REQUEST as $k=>$v) {
> >        if 
> >        (preg_match('/^(GLOBALS|_SERVER|_GET|_POST|_COOKIE|_FILES|_ENV|_REQUEST|_SESSION|FarmD|WikiDir)$/i', $k)) exit();
> >        ${$k}=''; unset(${$k});
> >      }
> >
> >
> 
> I'm running 2.0.13, and the line in pmwiki.php says:
> 
> if (ini_get('register_globals'))
>  foreach($_REQUEST as $k=>$v) { unset(${$k}); }
> 
> Will updating it to the text quoted above be a problem?

Not a problem, definitely a good idea.

> The main reason I haven't updated my wiki to the latest version is
> because I haven't had time to go through and figure out all the
> changes that will have to be made to my configuration. It would be
> cool if the SiteAnalyzer would also be able to tell me what
> configuration changes would be necessary to upgrade to the latest
> version, including which markup might be deprecated, etc.
> It sounds like that is your plan, but I wanted to bring it up, just in
> case it wasn't.

Hmm, that wasn't my plan, at least not in the short term.  I'm not
sure I'd be able to remember all of the things that might need to
be changed (although, from 2.0.13 to 2.1.0 there shouldn't be
that much of significance that has changed).

I might be able to do this for things going forward.  I could
also probably try to detect when deprecated features are being
used and flag them.  But this will all evolve over time.

Pm




More information about the pmwiki-users mailing list