Update of /cvsroot/phpwiki/phpwiki/admin
In directory usw-pr-cvs1:/tmp/cvs-serv10034/admin
Modified Files:
Tag: release-1_2-branch
dumpserial.php loadserial.php
Log Message:
Added extra paranoid security checks.
Without these checks, if the admin directory is not protected
(e.g. via .htaccess) then loadserial.php and dumpserial.php can
be run directly and used to probe for and create directories
on the http server.
Index: dumpserial.php
===================================================================
RCS file: /cvsroot/phpwiki/phpwiki/admin/Attic/dumpserial.php,v
retrieving revision 1.1
retrieving revision 1.1.2.1
diff -C2 -r1.1 -r1.1.2.1
*** dumpserial.php 2000/11/08 15:30:16 1.1
--- dumpserial.php 2001/02/14 06:32:19 1.1.2.1
***************
*** 6,10 ****
directory as serialized data structures.
*/
!
$directory = $dumpserial;
$pages = GetAllWikiPagenames($dbi);
--- 6,12 ----
directory as serialized data structures.
*/
! if (!defined('WIKI_ADMIN'))
! die("You must be logged in as the administrator to dump serialized pages.");
!
$directory = $dumpserial;
$pages = GetAllWikiPagenames($dbi);
Index: loadserial.php
===================================================================
RCS file: /cvsroot/phpwiki/phpwiki/admin/Attic/loadserial.php,v
retrieving revision 1.1
retrieving revision 1.1.2.1
diff -C2 -r1.1 -r1.1.2.1
*** loadserial.php 2000/11/08 15:30:16 1.1
--- loadserial.php 2001/02/14 06:32:19 1.1.2.1
***************
*** 5,8 ****
--- 5,10 ----
wiki_dumpserial.php.
*/
+ if (!defined('WIKI_ADMIN'))
+ die("You must be logged in as the administrator to load serialized pages.");
$directory = $loadserial;
|
