[pmwiki-users] Re: Security/information leak in PmWIki
Patrick R. Michaud
pmichaud at pobox.com
Sun Feb 20 10:38:57 CST 2005
On Sun, Feb 20, 2005 at 07:14:21PM +0530, V.Krishn wrote:
> On Friday 18 February 2005 02:44, Neil Herber wrote:
> >
> >
> > 1) If I search for "/", PmWiki gladly displays the group name and the name
> > of all the pages it contains. Names like Private.Budget seem to attract
> > attention.
> >
> Not only "/", just by simply hitting search the full wiki-pages structure is
> displayed.
> Consider this on a site having more than 4000 wiki pages. Does PmWiki has
> some kind of check/limitation to display such essentially not desirable
> feature. (Both Security-Wise as well as waste of Bandwidth ?
It's not built-in to PmWiki, no. It wouldn't be hard to implement if
we ever need it.
> My suggestion would be that SearchBox should have a Minimum of "Three"
> characters to show the search result.
That's a site-specific choice, and it could be done as a local/config.php
setting.
> Another Suggestion would be to create an Array Variable/s, that can be valued
> in config.php eg.
> $SearchExcludePages = { Private , Profile.Krishn , Personal; }
> OR 2 varialbles $SearchExcludeGroups and $SearchExcludePages
> ....this would then exclude these pages in normal search result but
> would show from within respective excluded $Groups or $Groups.Name
One can already use the $SearchPatterns variable to limit the pages
displayed as a result of performing a search.
However, keep in mind that in PmWiki's default configuration, all
searches end up in the Main.SearchWiki page. There's not a
"group-specific" search option. However, it's trivially easy to
create a SearchWiki page for an individual group -- just create
Private.SearchWiki and add the line (:searchresults:) where you
want the search results to be placed. Then you can use a per-group
or per-page customization file to set up $SearchPatterns to
include/exclude relevant pages.
PmWiki v1 also had an ?action=search option which kept the search
within the context of an individual page/group -- that option is
now left as a local customization (I think there's a cookbook recipe
for it somewhere).
Pm
More information about the pmwiki-users
mailing list