On Fri 22 Oct 2010 12:51, Andreas Haerter pondered: > Am 22.10.2010 17:30, schrieb Mike Frysinger: > > it's information leakage pure and simple. restricting pages from the public > > because might be of a higher concern than for random users who typo URLs. > > restricting page access != hiding pages. pure and simple (IMHO). I agree that while hiding the content (restricting access to the content) isn't the same as hiding the page exists, there are times where the page title (the url) can be just as interesting to someone as the content. Hiding the page is a way to reduce/eliminate the traffic analysis that a potential attacker can do. So, this does what Mike described: diff --git a/inc/actions.php b/inc/actions.php index 0a6e6d8..5b070b5 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -20,6 +20,7 @@ function act_dispatch(){ global $ID; global $QUERY; global $lang; + global $conf; $preact = $ACT; @@ -53,6 +54,10 @@ function act_dispatch(){ //check permissions $ACT = act_permcheck($ACT); + if($ACT == 'denied' && isset($conf['acl_none_httpcode'])) { + headers($conf['acl_none_httpcode']); + } + //register if($ACT == 'register' && $_POST['save'] && register()){ $ACT = 'login'; So, all you need to do is set: $conf['acl_none_httpcode'] = 'HTTP/1.0 404 Not Found'; or $conf['acl_none_httpcode'] = 'HTTP/1.0 403 Forbidden'; This isn't 100% - do=check does expose some things (permissions for a page that doesn't exist, is (1) read, permissions for a page that none, is none (0). So, it's not perfect, and can still expose things if you look hard enough. At the same time - I wasn't sure if the checking of ACL failed pages was meant to have do=check fail, but this is necessary so it works when ACL's are telling people they don't have permissions. diff --git a/inc/actions.php b/inc/actions.php index 0a6e6d8..5bf3111 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -50,6 +50,12 @@ function act_dispatch(){ } } + //display some infos + if($ACT == 'check'){ + check(); + $ACT = 'show'; + } + //check permissions $ACT = act_permcheck($ACT); @@ -115,12 +121,6 @@ function act_dispatch(){ if(substr($ACT,0,7) == 'export_') $ACT = act_export($ACT); - //display some infos - if($ACT == 'check'){ - check(); - $ACT = 'show'; - } - //handle admin tasks if($ACT == 'admin'){ // retrieve admin plugin name from $_REQUEST['page'] -- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist