A new update for Fox is available from http://www.pmwiki.org/wiki/Cookbook/Fox
This update addresses a few security concerns and generally tightens posting page permissions. It also fixes a few bugs in template and error message handling. * I removed the 'current page' and 'current group' default permissions from $FoxNameFmt because of possible misuse. * I added a string check for posting permission, which checks on the target page for presence of ":fox 'formname'" or ":foxprepend" or ":foxappend". * Otherwise page permissions can be added to $FoxNameFmt, for instance from a local config file with $FoxNameFmt[] = 'Test.*'; which adds permission to post to all page sin the 'Test' group. * Or a new Site.FoxConfig page can be created and page permission patterns can be added there, like allow: Test.* * Also: Bug fixes in handling {$$var} in foxtemplate string. * Fixed form action=PageUrl. * Fixed handling of (:foxtemplate "":), * added template=0 option for use with new empty page creation. Note that in addition to these page posting permissions Fox by default can only post to pages for which the user has edit permission. These can be changed through local customisations (not from Site.FoxConfig!) by setting $FoxAuth for instance to 'read', to allow posting to edit protected pages (but those pages still need to be allowed by the page posting pattern in $FoxNameFmt or set in Site.FoxConfig). The biggest change to which pages can Fox post by default is that it requires now explicit addition of a pattern to post to the current group. Basically for page security there is no current group, as any general current group setting could be exploited, by using any group as a current group, thereby opening the possibility to post to protected pages. So instead of having a permission pattern $FoxNameFmt[] = '{$Group}.*'; which could be exploited if $FoxAuth is set to 'read', it is far safer to use explicitly a group name in the pattern, as $FoxNameFmt[] = 'Test.*'; The pattern for 'current page' is not needed any longer, as Fox can post to the page the form is on, or included, by checking a string of the markup. Hope this makes sense. Please send in your comments about these changes, as these security issues have been highlighted so much in other topics, and I am striving to get Fox as secure as I can. ~Hans _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users