[pmwiki-users] Increased recipe security without much hassle (Was: Infected Cookbook Recipes?)
ThomasP
pmwikidev2 at sigproc.de
Wed Oct 8 12:22:00 CDT 2008
Hello,
> I am afraid that I exposed a problem which, though real (and possibly
severe), cannot be easily solved.
> So, while there are other priorities, it is maybe better to forget it.
>
> Luigi
this is the approach that I personally rather try to avoid. The thing is
that sites/ open source projects DO get hacked (see for example
www.squirrelmail.org, read from bottom), and therefore it is good to come
to a sensible compromise. Some attack awareness is better than no
protection at all.
It is clear on the other hand that hassle is to be avoided as well, and
therefore, to cut a long story short, I have put up at
http://www.sigproc.de/XXXcookbookuploadsnotify.txt
(remove the XXX) what I have in mind - ideally only to be audited,
installed and forgotten. It is pretty much quick and dirty, but we know it
has to be installed on the one host only.
The whole issue is clearly one of the few cases where one should not talk
too much - some silence actually adds here to the security.
I hope this seed can somehow fall on fruitful ground. (After my latest
experiences my desire has grown to rather have a secure wiki, even if the
necessary measures can be deployed only gradually.)
ThomasP
BTW: There is a NotifyOnUpload recipe, it is just that it is even more and
probably _too_ much workaround style.
More information about the pmwiki-users
mailing list