From: Carsten K. <car...@us...> - 2003-12-06 04:56:26
|
Update of /cvsroot/phpwiki/phpwiki/lib In directory sc8-pr-cvs1:/tmp/cvs-serv7400 Modified Files: WikiUser.php Log Message: Security bugfix (minor): Prevent BogoUser~s from saving extraneous _pref object meta-data within locked pages. Previously, BogoUser~s who signed in with a (valid) WikiWord such as "HomePage" could actually save preferences into that page, even though it was already locked by the administrator. Thus, any subsequent WikiLink~s to that page would become prefixed with "that nice little" UserIcon, as if that page represented a valid user. Note that the admin can lock (even) non-existant pages as desired or necessary (i.e. any DB page whose revision==0), to prevent the arbitrary BogoUser from saving preference metadata into such a page; for example, the silly WikiName "@qmgi`Vcft_x|" (that is the \$examplechars presented in login.tmpl, in case it is not visible here in the CVS comments). http://phpwiki.sourceforge.net/phpwiki/ %C0%F1%ED%E7%E9%E0%D6%E3%E6%F4%DF%F8%FC?action=lock To remove the prefs metadata from a page, the admin can use the EditMetaData plugin, enter pref as the key, leave the value box empty and then submit the change. For example: http://phpwiki.sourceforge.net/phpwiki/ _EditMetaData?page=%C0%F1%ED%E7%E9%E0%D6%E3%E6%F4%DF%F8%FC (It seems a rethinking of WikiUserNew.php with its WikiUser and UserPreferences classes is in order. Ideally the WikiDB would transparently handle such a situation, perhaps BogoUser~s should simply be restricted to saving preferences into a cookie until his/her e-mail address has been verified.) Index: WikiUser.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/lib/WikiUser.php,v retrieving revision 1.43 retrieving revision 1.44 diff -u -2 -b -p -d -r1.43 -r1.44 --- WikiUser.php 4 Dec 2003 19:33:30 -0000 1.43 +++ WikiUser.php 6 Dec 2003 04:56:23 -0000 1.44 @@ -323,6 +323,16 @@ class WikiUser { // plaintext! well oh well if ($homepage = $this->homePage()) { + if ((!$homepage->get('locked')) && !$this->isAdmin()) { $homepage->set('pref', serialize($prefs->_prefs)); return sizeof($prefs->_prefs); + } + else { + // FIXME: This permission situation should + // probably be handled by the DB backend, once + // the new WikiUser code has been implemented. + trigger_error(_("Your home page is locked so your preferences cannot not be saved.") + . " " . _("Please contact your PhpWiki administrator for assistance."), + E_USER_WARNING); + } } else { trigger_error("No homepage for user found. Creating one...", @@ -657,4 +667,37 @@ class UserPreferences { // $Log$ +// Revision 1.44 2003/12/06 04:56:23 carstenklapp +// Security bugfix (minor): Prevent BogoUser~s from saving extraneous +// _pref object meta-data within locked pages. +// +// Previously, BogoUser~s who signed in with a (valid) WikiWord such as +// "HomePage" could actually save preferences into that page, even though +// it was already locked by the administrator. Thus, any subsequent +// WikiLink~s to that page would become prefixed with "that nice little" +// UserIcon, as if that page represented a valid user. +// +// Note that the admin can lock (even) non-existant pages as desired or +// necessary (i.e. any DB page whose revision==0), to prevent the +// arbitrary BogoUser from saving preference metadata into such a page; +// for example, the silly WikiName "@qmgi`Vcft_x|" (that is the +// \$examplechars presented in login.tmpl, in case it is not visible here +// in the CVS comments). +// +// http://phpwiki.sourceforge.net/phpwiki/ +// %C0%F1%ED%E7%E9%E0%D6%E3%E6%F4%DF%F8%FC?action=lock +// +// To remove the prefs metadata from a page, the admin can use the +// EditMetaData plugin, enter pref as the key, leave the value box empty +// and then submit the change. For example: +// +// http://phpwiki.sourceforge.net/phpwiki/ +// _EditMetaData?page=%C0%F1%ED%E7%E9%E0%D6%E3%E6%F4%DF%F8%FC +// +// (It seems a rethinking of WikiUserNew.php with its WikiUser and +// UserPreferences classes is in order. Ideally the WikiDB would +// transparently handle such a situation, perhaps BogoUser~s should +// simply be restricted to saving preferences into a cookie until his/her +// e-mail address has been verified.) +// // Revision 1.43 2003/12/04 19:33:30 carstenklapp // Bugfix: Under certain PhpWiki installations (such as the PhpWiki at |