[Phpwiki-talk] 1.3.11 authentication

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Joel Sherrill <jo...@OA...> schrieb:
> Reini Urban wrote:
>> Note, that 1.2.x is not in active development, and probably insecure, 
>> but is 10x faster, 10x smaller and has 10x less features than the 
>> current 1.3.x development branch. A new 1.3.11 release will arrive soon.
> 
> I hate to ask this but will 1.3.11 address some of the weirdnesses
> with the authentication?  That has been the only gripe I have
> really had with the rtems wiki (http://www.rtems.com/phpwiki).

Which problems?
I know about httpauth not being working (got better, just the admin_user 
is ignored),
PersonalPages problems (not being able to reproduce).

Most problems so far are related to PASSWORD_LENGTH_MINIMUM = 0
(allowing empty passwords), or non-persistent sessions. (which has 
nothing to do with auth)
I print now a warning for all methods if PASSWORD_LENGTH_MINIMUM is 
violated.

Or using slow USER_AUTH_POLICY = old and having IMAP or other issues 
then (as in previous vesions also).

> Someone mentioned some issues with internationalization.  If you
> are interested in a description, I can get him to write them up.
> I think it starts with his name having a non-ASCI character in it.

I remember. That's another issue I introduced lately and have to fix.
The docs state that all i18n username wordchars are valid, and current 
code disallows them. For security concerns with certain methods.
I'll re-enable them for some auth methods: class specific isValidName()
Bogo and PersonalPage are safe.
-- 
Reini Urban