[pmwiki-users] Upload protection not working
Petko Yotov
5ko at 5ko.fr
Wed Jun 8 03:20:55 CDT 2016
On 2016-06-08 06:04, Christopher Cox wrote:
> Behold the culprit:
>
> $EnableUploadGroupAuth=1;
>
> That creates the security hole.
Here is the documented variable, unset by default, so it was certainly
enabled by your wiki-administrator:
http://www.pmwiki.org/UploadVariables#EnableUploadGroupAuth
People have argued that this prevents a larger security hole.
Without this variable, when you have a protected group, and a single
unprotected page, any file uploaded to the group can be downloaded with
a URL containing the unprotected page.
The other way around is even worse: with per-group directories, any file
can be downloaded from the page with least restricted permissions: if
the group is unprotected but you have a single protected page, all files
can be downloaded from any other page of that group, even pages that
don't exist.
See http://www.pmwiki.org/wiki/Cookbook/SecureAttachments (section Note
about security) and http://www.pmwiki.org/wiki/PITS/01104 (Protection of
per-group attachments is done per-page instead of per-group).
With the default per-group uploads but per-page passwords, I don't think
there is a better solution -- any suggestions will be welcome.
Or, if this can be better documented, please do it.
Petko
More information about the pmwiki-users
mailing list