[dokuwiki] Re: $INFO

From: Andy Webber <dokuwiki@xxxxxxxxxxxxxx>
To: dokuwiki@xxxxxxxxxxxxx
Date: Thu, 19 Nov 2009 22:41:11 +0000

Gerry Weißbach wrote:

Am 19.11.2009 um 23:14 schrieb Andreas Gohr:

I just installed the latest devel release on my companies test and devel severs 
and found the $INFO being published via JavaScript.
I consider that a security problem or at least an severe inconvenience for 
corporate websites that use DW (such as mine).

Why? What's in there that's problematic?


There are usernames in it. There is specific file information of the page in it 
(Path on the server ...). The ACL ... settings ...
This is a lot of stuff that I think no one should see especially when the "admin" is not 
aware that it's being "published" or when the wiki is being used as corporate website.

It's just a personal feeling (and that of my colleagues) that it's not right to 
have the information there. Thats why I'd at least request to add an option to 
hide it.

Does that sound reasonable or somewhat paranoid? (Not sure myself - but I'm 
afraid of leaking too much information)

Gerry.

I concur that it doesn't "feel" right, but also don't have much specific[yet] to object to. It seems to me that there is much there that shouldremain solely in the server's purview.

I'd much prefer that this was controlled under a config parameter. Anyplugins that need it can check the config parameter and complain thatthey won't work (or will have limited functionality) if it is turnedoff. Then the paranoid amongst us, that don't want to be hauled up infront of pan-global multi-jurisdictional privacy and audit committees,can rest easy.


Cheers
Andy
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

References:
- [dokuwiki] $INFO
  - From: Gerry Weißbach
- [dokuwiki] Re: $INFO
  - From: Andreas Gohr
- [dokuwiki] Re: $INFO
  - From: Gerry Weißbach

[dokuwiki] Re: $INFO

Other related posts: