[dokuwiki] Re: plugin deletion
- From: Michael Hamann <michael@xxxxxxxxxxxxxxxx>
- To: dokuwiki <dokuwiki@xxxxxxxxxxxxx>
- Date: Sun, 06 Feb 2011 16:32:09 +0100
Hi,
Excerpts from Myron Turner's message of 2011-02-06 16:05:02 +0100:
[...]
> Thanks for the fix. I'm aware of the access issues and the this in fact
> is the only way I could get the FCKeditor to access media files. There
> is .htaccess protection but, in addition, the fckgLite implementation of
> the FCKeditor's file browser is fully ACL-compliant. So, unless you
> have used fckgLite you can't know whether your security warning is
> accurate. Please do so before jumping to conclusions. And what are you
> referring to as the 'non-safe' version?
Regarding media access I just referred to actual file access over http,
not listing the contents. The only way to prevent read access would be
more rules in the .htaccess files, there aren't any so I can conclude
that without testing the plugin. You say in various places that in the
fckgLiteSafe version in contrast to the other ("non-safe") version there
is an enhanced filebrowser. On
http://www.mturner.org/dwfck/fckgLite/doku.php?id=fckglite_safe#fckglitesafe_enhanced_filebrowser_as_of_nov_6_2010
you write that "Users cannot browse files to which they do not have at
least read permission. These files are hidden, preventing users from
creating links to files for which they do not have at least read
permission." My conclusion was that this is different in the "non-safe"
version and there users can list pages they can't access. If that
shouldn't be correct sorry for the wrong conclusions, feel free to
correct that. I just wanted to make these two points more obvious as if
any of these two things existed in DokuWiki core we would consider that
a major security issue, fix it asap and would probably do a security
release.
Michael
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
