[pmwiki-users] Fox Security Update

Hans design5 at softflow.co.uk
Wed May 2 16:14:04 CDT 2007


A new update for Fox is available from
http://www.pmwiki.org/wiki/Cookbook/Fox

This update addresses a few security concerns and generally tightens
posting page permissions. It also fixes a few bugs in template and
error message handling.

* I removed the 'current page' and 'current group' default permissions
  from $FoxNameFmt because of possible misuse.
* I added a string check for posting permission, which checks on the
  target page for presence of ":fox 'formname'" or ":foxprepend"
  or ":foxappend".
* Otherwise page permissions can be added to $FoxNameFmt, for instance
  from a local config file with
        $FoxNameFmt[] = 'Test.*';
  which adds permission to post to all page sin the 'Test' group.
* Or a new Site.FoxConfig page can be created and page permission
  patterns can be added there, like
     allow: Test.*
* Also: Bug fixes in handling {$$var} in foxtemplate string.
* Fixed form action=PageUrl.
* Fixed handling of (:foxtemplate "":),
* added template=0 option for use with new empty page creation.

Note that in addition to these page posting permissions Fox by default can
only post to pages for which the user has edit permission.
These can be changed through local customisations (not from
Site.FoxConfig!) by setting $FoxAuth for instance to 'read', to allow
posting to edit protected pages (but those pages still need to be
allowed by the page posting pattern in $FoxNameFmt or set in
Site.FoxConfig).

The biggest change to which pages can Fox post by default is that it
requires now explicit addition of a pattern to post to the current
group. Basically for page security there is no current group, as any
general current group setting could be exploited, by using any group
as a current group, thereby opening the possibility to post to
protected pages. So instead of having a permission pattern

   $FoxNameFmt[] =  '{$Group}.*';
   
which could be exploited if $FoxAuth is set to 'read',
it is far safer to use explicitly a group name in the pattern, as

   $FoxNameFmt[] = 'Test.*';

The pattern for 'current page' is not needed any longer, as Fox can
post to the page the form is on, or included, by checking a string of
the markup.

Hope this makes sense. Please send in your comments about these
changes, as these security issues have been highlighted so much in
other topics, and I am striving to get Fox as secure as I can.


  ~Hans   




More information about the pmwiki-users mailing list