[pmwiki-users] ZAP syntax ideas...

Ben Stallings ben at interdependentweb.com
Wed Apr 25 10:51:21 CDT 2007


The Editor wrote:
> What risks are you thinking about?  And for that matter, what's to
> stop someone from going to a page with (:zapget:) on it now and doing
> the same thing?

Well, presumably they don't know that (:zapget:) turns all GET variables 
into page variables.  Maybe they think it only does some of them, as 
needed.  In any case, it will only be that page that's affected, whereas 
your proposed change affects the entire site!

The risk that comes most strongly to mind is {$AuthId} ... if I can 
bypass the login procedure and identify myself as you just by typing 
?AuthId=Caveman in the address bar, that is a major security hole. 
Maybe you've already thought of that; I hope so.

> How about if I made it so it only set them if they were not already
> set, making it impossible to overwrite them? Is that what you were
> thinking?

Well, to use the example above, suppose I'm not logged in.  I have no 
{$AuthId}, so any value supplied by GET would be accepted.  So just 
checking whether the variable is set is not enough.  You either need a 
blacklist of which page variables will *not* be accepted via GET, or you 
need to put the responsibility on the form author to specify which 
variables *will* be accepted via GET.  Or you could import them into 
some other context besides page variables, like your own {substitution} 
variables, where they will be less dangerous.  In any case, at the very 
least it should only apply to pages that have ZAP forms, not to the 
whole site.

Thanks again for asking for feedback!  --Ben



More information about the pmwiki-users mailing list