Friday, May 4, 2007, 7:12:37 PM, The Editor wrote: >> // the following patterns for 'current page' and 'current group' >> // could be exploited to post to edit protected pages >> '{$Group}.{$Name}', // current page >> '{$Group}.*', // all pages in current group >> */
> Can you explain how these could be exploited, either on or off list. > It seems with the approach Pm used, the imposed markup would not in > any way override or change these page variables. Or is it some other > mechanism you are referring to? {$Group} and {$Name} will be derived from $pagename. Now the script cannot control what will be passed to it as $pagename. Some attacker can set up a form which will post some arbitrary pagename as $pagename to the form. It does not need much to figure out what the function in the processor script accepts as $pagename. In other word: there is no safe 'current page' variable. And therefore also no 'current group'. > Also, another question about your proposed plan. You will require Fox > admins to set these patterns in a config file for each form that needs > a different set of patterns? That's a lot of config editing isn't it? I have not thought about that each form needs different permission patterns. So far I am only using general patterns for all Fox forms to obey. Still it means an admin wanting the possibility to post to all pages in one group needs to explicitely define a group pattern in a local config file or on Site.FoxConfig. Unless he considers the site is safe because he can trust all editors, and sets a '*.*' pattern for allowing posting to all pages (still excluding the pages excluded with - prefixes, like '-Site.*', '-PmWiki.*'. ~Hans _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users