[pmwiki-users] action diff, source and browse
Patrick R. Michaud
pmichaud at pobox.com
Thu Mar 15 14:35:16 CDT 2007
On Thu, Mar 15, 2007 at 02:21:32PM -0400, The Editor wrote:
> If I read protect a group, will that be sufficient to
>
> 1) protect its contents from action=diff?
> 2) protect its contents from action=source?
> 3) Text Vars being read from it onto other pages?
Yes, at least with the core. (I make few guarantees as to what other recipes
might do that could allow read-protected content to leak. :-)
> Second, what is the best way to encrypt/unencrypt passwords. [...]
Normally one does not "unencrypt" passwords. Instead, the way
passwords work is that one stores the encrypted form of a password,
and to check if an entered password matches the stored one, you
simply re-encrypt the entered password and make sure that the
resulting encryptions match.
This is how crypt-based and md5-based password systems work.
(PmWiki uses crypt() for its password encryptions.)
Any system that uses two-way encryption functions (i.e., allowing
stored passwords to be converted back to unencrypted form) is likely
to be insecure unless there's a really good mechanism available
for keeping the encryption key(s) secret. And you also have to be
prepared to handle the case when the key is lost somehow.
(I wouldn't consider storing the key in a config file as being "safe".)
Pm
More information about the pmwiki-users
mailing list