From: Geoffrey T. D. <da...@us...> - 2001-02-14 06:31:41
|
Update of /cvsroot/phpwiki/phpwiki/admin In directory usw-pr-cvs1:/tmp/cvs-serv10034/admin Modified Files: Tag: release-1_2-branch dumpserial.php loadserial.php Log Message: Added extra paranoid security checks. Without these checks, if the admin directory is not protected (e.g. via .htaccess) then loadserial.php and dumpserial.php can be run directly and used to probe for and create directories on the http server. Index: dumpserial.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/admin/Attic/dumpserial.php,v retrieving revision 1.1 retrieving revision 1.1.2.1 diff -C2 -r1.1 -r1.1.2.1 *** dumpserial.php 2000/11/08 15:30:16 1.1 --- dumpserial.php 2001/02/14 06:32:19 1.1.2.1 *************** *** 6,10 **** directory as serialized data structures. */ ! $directory = $dumpserial; $pages = GetAllWikiPagenames($dbi); --- 6,12 ---- directory as serialized data structures. */ ! if (!defined('WIKI_ADMIN')) ! die("You must be logged in as the administrator to dump serialized pages."); ! $directory = $dumpserial; $pages = GetAllWikiPagenames($dbi); Index: loadserial.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/admin/Attic/loadserial.php,v retrieving revision 1.1 retrieving revision 1.1.2.1 diff -C2 -r1.1 -r1.1.2.1 *** loadserial.php 2000/11/08 15:30:16 1.1 --- loadserial.php 2001/02/14 06:32:19 1.1.2.1 *************** *** 5,8 **** --- 5,10 ---- wiki_dumpserial.php. */ + if (!defined('WIKI_ADMIN')) + die("You must be logged in as the administrator to load serialized pages."); $directory = $loadserial; |