[pmwiki-users] Security issue: recipe uploads

Simon nzskiwi at gmail.com
Tue May 26 05:58:47 CDT 2009


I have now encountered several cases where recipe attachments in the
cookbook have been overwritten by junk or "spam".
I believe this is a serious security risk for the PmWiki community.
This is because there are PmWiki users who use recipes with
little technical knowledge and may not realise they have downloaded
something that is not what it is supposed to be.

I propose that we discuss the following ideas

   - the recent uploads recipe become part of the core and be enabled asap
   on PmWiki. This will give visibility to changes in attachments.
      - ideally files should not be overwritten, and could then be restored
         - (actually making attachtable part of the core might be a great
         idea too)
      - having per group subdirectories for Cookbook (and Test) group would
      be useful.
   - all uploads, or at least those on the cookbook, be password protected
   - some mechanism be added to PmWiki that allows recipes to "register"
   themselves, and be visible in an Admin (Site) page along with their version,
   etc.

Simon

http://pmwiki.org/wiki/Cookbook/RecentUploadsLog
http://pmwiki.org/wiki/Cookbook/Attachtable
http://pmwiki.org/wiki/Cookbook/PerGroupSubDirectories
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20090526/9dd54c81/attachment.html 


More information about the pmwiki-users mailing list