Menu
▾
▴
phpwiki-talk
|
From: Reini U. <ru...@x-...> - 2002-09-15 11:52:36
|
Geoffrey T. Dairiki schrieb: > + * BUGS/COMMENTS: > + * > + * Actually, it seems that this plugin can be invoked from anywhere on a page. > + * (Not just the first line.) oops. > + * This plugin could probably result in a lot of confusion, especially when > + * redirecting to external sites. (Perhaps it can even be used for dastardly > + * purposes?) Maybe it should be disabled by default. yes, disable the href parameter like ENABLE_RAW_HTML. > + * It would be nice, when redirecting to another wiki page, to (as > + * UseModWiki does) add a note to the top of the target page saying > + * something like "(Redirected from SomeRedirectingPage)". good idea. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: Reini U. <ru...@x-...> - 2002-09-16 13:52:01
Attachments:
RedirectTo.patch
|
Geoffrey T. Dairiki schrieb: > Index: RedirectTo.php > + * BUGS/COMMENTS: > + * > + * Actually, it seems that this plugin can be invoked from anywhere on a page. > + * (Not just the first line.) fixed in current CVS. > + * This plugin could probably result in a lot of confusion, especially when > + * redirecting to external sites. (Perhaps it can even be used for dastardly > + * purposes?) Maybe it should be disabled by default. > + * > + * It would be nice, when redirecting to another wiki page, to (as > + * UseModWiki does) add a note to the top of the target page saying > + * something like "(Redirected from SomeRedirectingPage)". See this patch attached. Maybe we shouldn't check for another get argument at WikiRequest. redirectfrom=FromPage. But okay for me. The question is if we should add the note "Redirected from Pagename" at the top or bottom. Currently at the bottom. Looks better to me, but for consistency it would also be okay at the top. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: Lawrence A. <la...@us...> - 2002-09-19 12:12:55
|
Some random jottings on the Transclude plugin, for discussion/flames/whatever: Name: What on earth is transclusion? OK, I know about http://www.usemod.com/cgi-bin/mb.pl?TransClusion but see also http://scriptingnews.userland.com/backissues/2002/03/30#transOrIn It just sounds a bit silly to me. What's wrong with "Include"? I thought wiki was supposed to be easy to use/intuitive :-) Recursion: Whilst it is relatively easy (I guess) to detect if a page includes itself, what if a page1 includes page2 includes page1 ... Actually, this same problem applies to the Redirect plugin - see: http://phpwiki.sourceforge.net/demo/en/RedirectLoop. Possibility for DoS attacks? Bad scripts: Security problems if A Bad User can include all sorts of html in a wiki page? Isn't this why we don't generally allow raw html Two plugins: Can we merge the IncludePage plugin with this one in some way? Lawrence |
|
From: Reini U. <ru...@x-...> - 2002-09-19 17:31:36
|
Lawrence Akka schrieb: > Some random jottings on the Transclude plugin, for > discussion/flames/whatever: > > Name: What on earth is transclusion? OK, I know about > http://www.usemod.com/cgi-bin/mb.pl?TransClusion but see also > http://scriptingnews.userland.com/backissues/2002/03/30#transOrIn > It just sounds a bit silly to me. What's wrong with "Include"? I > thought wiki was supposed to be easy to use/intuitive :-) true. what about "IframeInclude"? but meatball as quasi-reference called it "TransClusion", so that's a strong point. > Recursion: Whilst it is relatively easy (I guess) to detect if a page > includes itself, what if a page1 includes page2 includes page1 ... > Actually, this same problem applies to the Redirect plugin - see: > http://phpwiki.sourceforge.net/demo/en/RedirectLoop. > Possibility for DoS attacks? does anyone knows more about endless redirect loops on the apache? php has a timeout for this kind of beast, but apache not. > Bad scripts: Security problems if A Bad User can include all sorts of > html in a wiki page? Isn't this why we don't generally allow raw html. So we should check for ENABLE_RAW_HTML on the external inclusion parameters: src in FrameInclude and Transclusion. href in RedirectTo. Otherwise only internal pages are allowed. Or? -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: Joby W. <joby@u.washington.edu> - 2002-09-19 18:48:50
|
Reini Urban wrote: > Lawrence Akka schrieb: > >> Recursion: Whilst it is relatively easy (I guess) to detect if a page >> includes itself, what if a page1 includes page2 includes page1 ... >> Actually, this same problem applies to the Redirect plugin - see: >> http://phpwiki.sourceforge.net/demo/en/RedirectLoop. >> >> Possibility for DoS attacks? > > > does anyone knows more about endless redirect loops on the apache? > php has a timeout for this kind of beast, but apache not. > Yes, it can be an issue. Mainly because each redirect is a new session and thus apache thinks it is new. You can use mod_throttle and mod_bandwidth to mitigate the potential threat. Within PHP we could impliment a redirect counter so prevent too many redirects. jbw |
|
From: Reini U. <ru...@x-...> - 2002-09-20 13:45:51
|
Joby Walker wrote: > Reini Urban wrote: >> does anyone knows more about endless redirect loops on the apache? >> php has a timeout for this kind of beast, but apache not. > > Yes, it can be an issue. Mainly because each redirect is a new session > and thus apache thinks it is new. You can use mod_throttle and > mod_bandwidth to mitigate the potential threat. Within PHP we could > impliment a redirect counter so prevent too many redirects. So this is the same session problem as with the robotblocker. Looks like we have to do that... -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
|
From: Jeff D. <da...@da...> - 2002-09-21 16:08:58
|
On Thu, 19 Sep 2002 13:12:28 +0100 Lawrence Akka <la...@us...> wrote: > Name: What on earth is transclusion? I see it as indicating inclusion from some other published source. As such having a different word for it is useful. The term "tranclusion" did not come out of nowhere. It seems to be the invention of Ted Nelson, who says he concieved of the idea in 1960(!). (It is currently a key component of his Xanadu system.) http://www.almaden.ibm.com/almaden/npuc97/1996/tnelson.htm http://www.wikipedia.com/wiki/Hypertext/Transclusion http://xanadu.com/xuvision.html http://seed.cs.colorado.edu/dynagloss.makeGlossPage.fcgi$Term=Transclusion http://www.zerohour.net/~reed/wri/hypertext/xanadu/transclusion.html > It just sounds a bit silly to me. What's wrong with "Include"? I > thought wiki was supposed to be easy to use/intuitive :-) Again, I have not beef with "Include", but I have brainwashed into accepting "Transclude" as a more specific term. > Recursion: Whilst it is relatively easy (I guess) to detect if a page > includes itself, what if a page1 includes page2 includes page1 ... Yes that's a problem. > Actually, this same problem applies to the Redirect plugin - see: > http://phpwiki.sourceforge.net/demo/en/RedirectLoop. Possibility for > DoS attacks? Less of a problem. Or, what I mean is: that can (and will, eventually) be fixed. A couple options on how to fix that: 1. The UseMod solution. When redirecting add a "redirected from" query arg. This is used to display a "Redirected from ..." message on the target page. Also, we can refuse to redirect more than once, so if a request already has a "redirected from" query, dont redirect again. (We need a way to disable redirection anyway, so as to be able to view/edit the original page. e.g. the "Redirected from OtherPage" message should include a link to the redirecting page with redirection disabled...) 2. "Internal redirect": Don't actually issue an HTTP redirect, but just treat the request like it was a request for the other page. Then we have complete knowledge of the "redirect" history, and can avoid loops that way... (This should probably be named Alias instead of Redirect.) > Bad scripts: Security problems if A Bad User can include all sorts of > html in a wiki page? Isn't this why we don't generally allow raw html Maybe... not sure, err ... probably. Can anyone give examples? It could be we do need to treat Transclusion like raw html. Enabled on locked pages only, etc... (Of course, once we have real user authentication, that constraint will need to become more flexible...) > Two plugins: Can we merge the IncludePage plugin with this one in some > way? We could. From the user's point of view, they are quite similar. I'm not sure it's a good idea though. The inner workings of the two mechanisms are, however, quite different. And, as you point out, Transclusion (at least in its current form) is frought with numerous perils. Keeping them in separate plugins emphasizes to users how different the two are, in spite of the fact they produce similar results. (Also, it makes it easy to disable transclusion: delete the plugin...) The reason I wrote the Transclusion plugin was not that I'm so crazy about Trans-/In-clusion, but rather as a, IMHO, cleaner alternative to Reini's FrameInclude. (Note that the recursion and security issues listed above pertain equally to the FrameInclude plugin.) I'm hoping to convince Reini at some point that we can do without the FrameInclude plugin and it's little hooks all over the PhpWiki code... (The one drawback I see of Transclusion over FrameInclude is that it doesn't work with older browsers...) |
|
From: Reini U. <ru...@x-...> - 2002-09-23 07:36:09
|
Jeff Dairiki wrote: > The reason I wrote the Transclusion plugin was not that I'm so > crazy about Trans-/In-clusion, but rather as a, IMHO, cleaner > alternative to Reini's FrameInclude. (Note that the recursion > and security issues listed above pertain equally to the > FrameInclude plugin.) I'm hoping to convince Reini at some point > that we can do without the FrameInclude plugin and it's little hooks > all over the PhpWiki code... Only one to check for _GET['frame'] and display this frame only. The other early one is needed for plugin-head anyway, not to display any template before. Afterwards we cannot write any header anymore. BTW: This weekend I couldn't finish the WikiAuth code. Mainboard failure. -- Reini Urban http://xarch.tu-graz.ac.at/home/rurban/ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X