[dokuwiki] Re: Dokuwiki http headers...

  • From: Robin Getz <rgetz@xxxxxxxxxxxxxxxxxxxx>
  • To: Andreas Haerter <dokuwiki@xxxxxxxxxxxxxxxxxx>
  • Date: Fri, 22 Oct 2010 17:26:59 -0400

On Fri 22 Oct 2010 12:51, Andreas Haerter pondered:
> Am 22.10.2010 17:30, schrieb Mike Frysinger:
> > it's information leakage pure and simple.  restricting pages from the public
> > because might be of a higher concern than for random users who typo URLs.
> 
> restricting page access != hiding pages. pure and simple (IMHO).

I agree that while hiding the content (restricting access to the content) 
isn't the same as hiding the page exists, there are times where the page 
title (the url) can be just as interesting to someone as the content. 

Hiding the page is a way to reduce/eliminate the traffic analysis that a 
potential attacker can do.


So, this does what Mike described:

diff --git a/inc/actions.php b/inc/actions.php
index 0a6e6d8..5b070b5 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -20,6 +20,7 @@ function act_dispatch(){
     global $ID;
     global $QUERY;
     global $lang;
+    global $conf;

     $preact = $ACT;

@@ -53,6 +54,10 @@ function act_dispatch(){
         //check permissions
         $ACT = act_permcheck($ACT);

+        if($ACT == 'denied' && isset($conf['acl_none_httpcode'])) {
+            headers($conf['acl_none_httpcode']);
+        }
+
         //register
         if($ACT == 'register' && $_POST['save'] && register()){
             $ACT = 'login';

So, all you need to do is set:

$conf['acl_none_httpcode'] = 'HTTP/1.0 404 Not Found';
or
$conf['acl_none_httpcode'] = 'HTTP/1.0 403 Forbidden';

This isn't 100% - do=check does expose some things (permissions for a page 
that doesn't exist, is (1) read, permissions for a page that none, is none 
(0). So, it's not perfect, and can still expose things if you look hard 
enough.



At the same time - I wasn't sure if the checking of ACL failed
pages was meant to have do=check fail, but this is necessary so it works when 
ACL's are telling people they don't have permissions.


diff --git a/inc/actions.php b/inc/actions.php
index 0a6e6d8..5bf3111 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -50,6 +50,12 @@ function act_dispatch(){
             }
         }

+        //display some infos
+        if($ACT == 'check'){
+            check();
+            $ACT = 'show';
+        }
+
         //check permissions
         $ACT = act_permcheck($ACT);

@@ -115,12 +121,6 @@ function act_dispatch(){
         if(substr($ACT,0,7) == 'export_')
             $ACT = act_export($ACT);

-        //display some infos
-        if($ACT == 'check'){
-            check();
-            $ACT = 'show';
-        }
-
         //handle admin tasks
         if($ACT == 'admin'){
             // retrieve admin plugin name from $_REQUEST['page']
-- 
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist

Other related posts: