[pmwiki-users] ZAP security vulnerability...

Patrick R. Michaud pmichaud at pobox.com
Tue May 1 20:21:04 CDT 2007


On Tue, May 01, 2007 at 08:02:01PM -0400, The Editor wrote:
> I suggested one possible (probably easy) fix off-list that could
> provide that back door. Allowing a simple string replacement array to
> be processed before doing markup processing on an imposed page.  

I'm not sure exactly what you mean by "imposed page", but
it sounds as though you mean "any page where the markup is
coming from somewhere other than the current one."  If that's
correct, then essentially you're saying that recipes should be
able to disable certain markups if they're coming from an
included page or section, a pagelist template, GroupHeader,
GroupFooter, page text variable, SideBar, or any other feature
where we're doing any sort of "templating".

I think that many admins and authors would find such limitations
to also be confusing and overly constraining -- i.e., I can't
generate a page containing a ZAP form and then just (:include:)
it on multiple other pages?  Or certain directives aren't
allowed to be used in pagelist templates?  Or I can't use
form processing directives in a SideBar?

So, while this might be a fix, I think it comes with its own
set of negative issues and confusion for authors/admins that
are probably best avoided.  

All of this is just a way of saying that I think we need
a different overall solution to the problem here -- i.e., 
being able to bypass edit to write to *any* page is too 
blunt an instrument for what we're trying to achieve.

Pm



More information about the pmwiki-users mailing list