[dokuwiki] Re: Dokuwiki http headers...

• From: Robin Getz <rgetz@xxxxxxxxxxxxxxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Mon, 25 Oct 2010 10:00:26 -0400

On Sat 23 Oct 2010 04:05, Andreas Gohr pondered:
> > I agree that while hiding the content (restricting access to the content)
> > isn't the same as hiding the page exists, there are times where the page
> > title (the url) can be just as interesting to someone as the content.
> >
> > Hiding the page is a way to reduce/eliminate the traffic analysis that a
> > potential attacker can do.
> 
> We had this discussion multiple times. 

Sorry -- never saw it.

> This is simply not what 
> DokuWiki is intended for. The information if a page exists is "leaked"
> at several places in DokuWiki (link colors, status code, error
> messages, probably more). If firstheading is enabled, even the title
> of the page is given away. If you have content where the pure
> knowledge that it exists is an information leak already, don't put it
> in the wiki. It does not belong there.

OK - that doesn't change the issue which I found, and included the fix for -- 
(the $ACT == 'check' test is currently after the ACL check, which means that 
you can't do a do=check on a ACL nacked page. (and find out you need to log 
in, or you don't have the right privileges) 

> If the HTTP code for access denied is correct, is debatable. But we do
> send 200 Headers for non existing pages by default as well. So if you
> enable send404, it might be sensible to send a 403 for access denied
> cases.

So, how is this?

diff --git a/inc/actions.php b/inc/actions.php
index 0a6e6d8..02c0da9 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -20,6 +20,7 @@ function act_dispatch(){
     global $ID;
     global $QUERY;
     global $lang;
+    global $conf;

     $preact = $ACT;

@@ -53,6 +54,10 @@ function act_dispatch(){
         //check permissions
         $ACT = act_permcheck($ACT);

+        if($conf['send404'] && $ACT == 'denied') {
+            header('HTTP/1.0 403 Forbidden');
+        }
+
         //register
         if($ACT == 'register' && $_POST['save'] && register()){
             $ACT = 'login';
-- 
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

• Follow-Ups:
  • [dokuwiki] Re: Dokuwiki http headers...
    • From: TNHarris

• References:
  • [dokuwiki] Dokuwiki http headers...
    • From: Robin Getz
  • [dokuwiki] Re: Dokuwiki http headers...
    • From: Robin Getz
  • [dokuwiki] Re: Dokuwiki http headers...
    • From: Andreas Gohr

Other related posts:

• » [dokuwiki] Dokuwiki http headers...- Robin Getz
• » [dokuwiki] Re: Dokuwiki http headers...- Andreas Haerter
• » [dokuwiki] Re: Dokuwiki http headers...- Mike Frysinger
• » [dokuwiki] Re: Dokuwiki http headers...- Robert Bronsdon
• » [dokuwiki] Re: Dokuwiki http headers...- Andreas Haerter
• » [dokuwiki] Re: Dokuwiki http headers...- Mike Frysinger
• » [dokuwiki] Re: Dokuwiki http headers...- Robin Getz
• » [dokuwiki] Re: Dokuwiki http headers...- Andreas Gohr
• » [dokuwiki] Re: Dokuwiki http headers... - Robin Getz
• » [dokuwiki] Re: Dokuwiki http headers...- TNHarris
• » [dokuwiki] Re: Dokuwiki http headers...- Robin Getz

1. Home
2. dokuwiki
3. Archive
4. 10-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---