[pmwiki-users] concerning GroupAttributes a potential security risk

Hans design5 at softflow.co.uk
Tue Nov 4 07:44:27 CST 2008


Tuesday, November 4, 2008, 12:53:49 PM, The Editor wrote:

> Don't you just set the attributes for the attributes page itself.
> Just go to group.attr&action=attr or something like that. Then you
> can't change the attr for that group without knowing the password.

> It's been a while since I've done this so I may not recall the exact
> syntax properly, but I think this may be correct.  I'm sure it's in
> the docs--how to set the attributes for a specific page.

to set attributes for all pages of a group, one does
GroupName.GroupAttributes?action=attr
which creates a GroupAttributes page.
PmWiki interpretes attributes set for a GroupAttributes page
to apply to all pages of the group.
Individual page's attributes can be set with action=attr.

The security problem Chris pointed out is that there is no way
(at least I am not aware of one) to set attributes for a
GroupAttributes page which only apply to the page itself,
or that there is no alternative for an admin to set
attributes for all pages in a specific group from outside
the GroupAttributes pages, say from config.php instead.


  ~Hans




More information about the pmwiki-users mailing list