[pmwiki-users] RSS Feed + Read Protected Groups
H. Fox
haganfox at users.sourceforge.net
Sat Jan 7 16:51:07 CST 2006
On 1/6/06, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Fri, Jan 06, 2006 at 10:16:41AM -0600, Tegan Dowling wrote:
[...]
> > If you want to keep $EnablePageListProtect=1; in your config.php, I
> > believe you could create a local/Eberron.php file containing just
> >
> > <?php
> > $EnablePageListProtect = 0;
> >
> > Anyone: Any problem with this?
>
> Well, even if $EnablePageListProtect=0; in local/Eberron.php,
> it's possible for someone to use that to see the existence of pages
> in all groups. Essentially someone can then do:
>
> .../pmwiki.php/Eberron/RecentChanges?action=rss&trail=Site.AllRecentChanges
>
> to get a list of all pages, including password-protected ones.
>
> Why? Well, specifying Eberron/RecentChanges causes the Eberron.php
> to be loaded (thus turning off $EnablePageListProtect), and then
> the ?action=rss command is told to read pages from Site.AllRecentChanges.
>
> Almost all variables that have to do with read-protecting pages
> must be set in the site-wide configuration file to be effective;
> placing them in per-group configuration files means they can be
> bypassed simply by referencing a page from a different group.
Would there be any advantage to doing this, either in config.php or
e.g. Eberron.php?:
if ($action == 'rss') { $EnablePageListProtect = 0; }
Hagan
More information about the pmwiki-users
mailing list