[pmwiki-users] ZAP security vulnerability...
Hans
design5 at softflow.co.uk
Fri May 4 11:24:08 CDT 2007
Friday, May 4, 2007, 4:32:37 PM, marc wrote:
> Hans said...
> I use a group.php i.e. local/Forum.php which has a lot of group
> customisations, and includes an entry to the pattern array:
> $FoxNameFmt[] = 'Forum.*';
> allowing posting to any page in group Forum.
> I could still exempt some pages from this with negative names:
> $FoxNameFmt[] = '-Forum.GroupFooter';
> So this supplements the permission string check.
> The string check is useful as authors can add it to pages.
> The pattern array is under admin control.
The most annoying shortcoming using permission page patterns is
that there is no secure pattern for posting to the current group.
That from the perspective of posting security a current group
and a current page cannot safely be assigned.
I find this quite a bummer, I found the previous inclusion of such
pattern as default in Fox very convenient, but unfortunately it leaves
a security hole, and so I could no longer use it as a general default.
It would be so nice if there is a way to safely assign a "current
page" and "current group", but it seems the black hole of post
processing.
~Hans
More information about the pmwiki-users
mailing list