Re: [PHP-WEBMASTER] com web/wiki: Link users to their PHP.net profile: dokuwiki/inc/common.php

Wed, 14 May 2014 12:08:07 -0700 

On Tue, May 13, 2014 at 2:16 AM, Hannes Magnusson <
[email protected]> wrote:

> On Sun, May 11, 2014 at 10:12 AM,  <[email protected]> wrote:
> > Commit:    066a3c46cf554167ecf3ccc8778ff192a1d08901
> > Author:    Sobak <[email protected]>         Sun, 11 May 2014
> 19:12:23 +0200
> > Parents:   5aea2a996ff375cd4c5e475ff09796dc020cffe6
> > Branches:  master
> >
> > Link:
> http://git.php.net/?p=web/wiki.git;a=commitdiff;h=066a3c46cf554167ecf3ccc8778ff192a1d08901
> >
> > Log:
> > Link users to their PHP.net profile
> >
> > Changed paths:
> >   M  dokuwiki/inc/common.php
> >
> >
> > Diff:
> > diff --git a/dokuwiki/inc/common.php b/dokuwiki/inc/common.php
> > index 3277128..ca410c5 100644
> > --- a/dokuwiki/inc/common.php
> > +++ b/dokuwiki/inc/common.php
> > @@ -1418,34 +1418,7 @@ function shorten($keep, $short, $max, $min = 9,
> $char = '…') {
> >   * @author Andy Webber <dokuwiki AT andywebber DOT com>
> >   */
> >  function editorinfo($username) {
> > -    global $conf;
> > -    global $auth;
> > -
> > -    switch($conf['showuseras']) {
> > -        case 'username':
> > -        case 'email':
> > -        case 'email_link':
> > -            if($auth) $info = $auth->getUserData($username);
> > -            break;
> > -        default:
> > -            return hsc($username);
> > -    }
> > -
> > -    if(isset($info) && $info) {
> > -        switch($conf['showuseras']) {
> > -            case 'username':
> > -                return hsc($info['name']);
> > -            case 'email':
> > -                return obfuscate($info['mail']);
> > -            case 'email_link':
> > -                $mail = obfuscate($info['mail']);
> > -                return '<a href="mailto:'.$mail.'">'.$mail.'</a>';
> > -            default:
> > -                return hsc($username);
> > -        }
> > -    } else {
> > -        return hsc($username);
> > -    }
> > +    return '<a href="//people.php.net/'.$username.
> '">'.$username.'</a>';
>
>
> - Not all wiki users have @php.net karma/profile pages (it depends on
> the login method)
> - You need to escape the $username (XSS...)
> - Modifying dokuwiki core code is evil as it will get lost next time
> we upgrade (say, a new security release is out). Please attempt to
> make these changes as part of a custom plugin or maintain a patch file
> in the patches/ directory
>
>
uhm, shouldn't we revert it until the concerns you've raised are fixed?


-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Reply via email to