Menu
▾
▴
RE: [Tikiwiki-devel] Sql plugin broken + security
|
From: Yannick M. <ma...@au...> - 2004-05-05 14:08:48
|
> - good news :) ask for help if you need. I'll need some for testing... Until then, I spent some hours trying to figure out why sql wiki plugin was broken. I found some "quick" hack to = fix it for now : in lib/adodb/adodb-pear.inc.php, in "function &connect", if = you change : if($persist) $ok =3D $obj->PConnect by if(1||$persist) $ok =3D $obj->PConnect It's working again. Not sure why. Also, I'm not sure from where this &connect function is really called from. I think I should fix the = caller, but where is it. Can someone _please=AD_ give some information? ------------------------------------------------------------------------ Yannick Majoros http://www.auto.ucl.ac.be/~majoros Informaticien AUTO-INMA/FSA/UCL CSAM 4, avenue G. Lema=EEtre B-1348 Louvain-la-Neuve Belgium Tel: +32-10-47.80.10 Fax: +32-10-47.21.80 ------------------------------------------------------------------------ = =20 > -----Message d'origine----- > De : tik...@li...=20 > [mailto:tik...@li...] De la part de mose > Envoy=E9 : Wednesday, May 05, 2004 3:39 PM > =C0 : tik...@li... > Objet : Re: [Tikiwiki-devel] Sql plugin broken + security >=20 > le Wed, May 05, 2004 at 11:48:57AM +0200 par Yannick Majoros : > >=20 > > Hi! > >=20 > > There is a problem in tiki 1.8.2 : sql wiki plugin seems to be=20 > > broken. If you create a DSN to access an 'external' db=20 > (=3Dnot the tiki=20 > > one), tiki tries to use it afterwards for some db queries=20 > (at least in=20 > > categories), which results in fatal errors. Could someone who knows=20 > > that part of tiki have a look? I can't seem to find the=20 > problem for the moment. > >=20 > > Also, I have a proposal for sql plugin security: > >=20 > > - Whenever someone writes a request in a sql plugin, that=20 > request is=20 > > stored in a table, say tiki_sqlplugin_requests, with these fields:=20 > > Page, Request, Approved. > > - You have to have the tiki_p_approve_requests permission=20 > to be able=20 > > to approve a request. Approving is either manual (an=20 > "approve" button=20 > > appears next to unapproved requests if you have the right=20 > permission),=20 > > or automatic (if you have tiki_p_approve_requests perm,=20 > requests are=20 > > automatically approved when you write them). > - try to have the feature name in the perm, in that case, more > something as tiki_p_approve_dsn or something like that. >=20 > > - Unapproved requests don't execute, so users can't just write=20 > > requests on their wiki page and execute it. > - sounds cool :) >=20 >=20 > > I wrote a bunch of wiki plugins for db interfacing, which=20 > I'll share=20 > > with the community asap. I plan to use this trick for securing them. >=20 > - good news :) ask for help if you need. >=20 >=20 > cheers, > mose >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by: Oracle 10g Get certified=20 > on the hottest thing ever to hit the market... Oracle 10g.=20 > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3D3149&alloc_id=3D8166&op=3Dclick > _______________________________________________ > Tikiwiki-devel mailing list > Tik...@li... > https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel >=20 |