[dokuwiki] $INFO

From: Gerry Weißbach <gerry.w@xxxxxxxxxxxxxxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Thu, 19 Nov 2009 23:11:01 +0100

Hi List - hey Andi,

I just installed the latest devel release on my companies test and devel severs 
and found the $INFO being published via JavaScript. (pushed here 
http://dev.splitbrain.org/darcsweb/darcsweb.cgi?r=dokuwiki;a=commit;h=20091026114046-6e07b-340f009428322105a5dda72933a66a3719de544d.gz)

I think that it was a feature request (has that been discussed recently?) But I 
consider that a security problem or at least an severe inconvenience for 
corporate websites that use DW (such as mine).

Though I'd like to request that the code will be removed again I think it won't 
be - but should be protected at least by an config option which defaults to 
false - plugin authors could check and request it to be activated if needed.

The reason I think it should be removed is - primarily the security issue - 
second: the siteexport plugin would output the information as well (that is not 
a good thing for offline documentation) ... - third reason is: any one who 
needs this information could request it via AJAX.

I was able to temporarily remove the script using the metaheader plugin - but I 
think it should at least be an optional output or fully removed.

What you think?

Best Regards,
Gerry.--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Follow-Ups:

[dokuwiki] Re: $INFO
From: Andreas Gohr

[dokuwiki] $INFO

Other related posts: