[pmwiki-users] Custom PageVariables from request strings: critical vulnerability

Oliver Betz list_ob at gmx.net
Mon Feb 29 05:54:33 CST 2016

Petko Yotov wrote:

>  the recipe "HttpVariables" provides access to request strings

it doesn't offer a method to access have a get /or/ post parameter in a
single PTV as I had in:

$FmtPV['$foo'] = 'isset($_GET["foo"]) ? $_GET["foo"] : @$_POST["foo"]';

The markup {$!foo} is stated "might not be reliable", the documentation
is somewhat fuzzy in this respect: "{$!request_var} may produce
different results under different php.ini configurations."

I think I will make my own solution based on HttpVariables.

BTW: Is the code cited above secure because it's in single quotes?


P.S. I still consider "return-to mangling" useful, replies to list
messages should go to the list by default.

More information about the pmwiki-users mailing list