Excellent point about security. Parameters like "fmt#include" and
"$:MySecretPTV=?*" could be problems.
OTOH, request=1 can sometimes make it much easier to offer users options for
pagelists.
Note that setting pagelist parameters via the URL is a non-issue in cases of
wikis that allow guests to edit any page at all, including WikiSandbox - since
the guest can then write a malicious directive on the page directly.
Markup like the following could plug some anticipated security holes (requires
the httpvariables recipe):
(:pagelist (:if ( !equal "{$?fmt}" "#ThisFmtAllowed" ) and ( !equal "{$?fmt}"
"#AlsoAllowed" ) :)fmt=#default(:else:)request=1(:ifend:) :)
But that doesn't prevent something like "$:MySecretPTV=?*" from being submitted
via the URL, since you may not know in advance what PTVs are hidden on pages
that need to be protected.
Maybe someday request=1 can be expanded for security to allow
request="order,list,trail,PTV,if" or whatever specific parameters you want to
be overridable via the URL. Or maybe someone will think of a better solution.
Randy
>
> It is not specifically forbidden but I'm not sure if it is desirable to
> work. People may access to your pagelists in ways you didn't
> specifically allow. Can this be a security issue? I don't know.
>
> Does anyone rely on this feature working?
>
> Petko
>
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
