[pmwiki-users] Upload protection not working

ccox at endlessnow.com ccox at endlessnow.com
Wed Jun 8 09:39:59 CDT 2016


> On 2016-06-08 06:04, Christopher Cox wrote:
>> Behold the culprit:
>>
>> $EnableUploadGroupAuth=1;
>>
>> That creates the security hole.
>
> Here is the documented variable, unset by default, so it was certainly
> enabled by your wiki-administrator:
>
>    http://www.pmwiki.org/UploadVariables#EnableUploadGroupAuth
>
> People have argued that this prevents a larger security hole.
>
> Without this variable, when you have a protected group, and a single
> unprotected page, any file uploaded to the group can be downloaded with
> a URL containing the unprotected page.
>
> The other way around is even worse: with per-group directories, any file
> can be downloaded from the page with least restricted permissions: if
> the group is unprotected but you have a single protected page, all files
> can be downloaded from any other page of that group, even pages that
> don't exist.
>
> See http://www.pmwiki.org/wiki/Cookbook/SecureAttachments (section Note
> about security) and http://www.pmwiki.org/wiki/PITS/01104 (Protection of
> per-group attachments is done per-page instead of per-group).
>
> With the default per-group uploads but per-page passwords, I don't think
> there is a better solution -- any suggestions will be welcome.
>
> Or, if this can be better documented, please do it.

Well... I think I'm ok. I'm using per Page attachments.  So is there any
security problem if you have that?  Seems that I cannot get to the
attachment if a page password exists... seems I cannot get to the
attachment if a groupattributes password exists.  Or is there something
I'm not seeing?

So for me, the answer is per Page attachments.  Seems the biggest security
problems (the ones you listed) are using the default per Group
attachments.

Certainly let me know if I'm being naive though and have missed something.





More information about the pmwiki-users mailing list