[dokuwiki] Re: Use of docsearch plugin reveals auth_aclcheck flaw, may have led to information leak for us
- From: Michael Hamann <michael@xxxxxxxxxxxxxxxx>
- To: dokuwiki <dokuwiki@xxxxxxxxxxxxx>
- Date: Mon, 17 Jan 2011 19:05:23 +0100
Hi,
Excerpts from Etienne MELEARD's message of 2011-01-17 18:30:15 +0100:
> Le 17/01/11 17:35, Michael Hamann a écrit :
> > Excerpts from Etienne MELEARD's message of 2011-01-17 16:25:43 +0100:
[...]
> >> The docsearch plugin replaces temporarly the savedir/indexdir pair to
> >> get search results from its own file tree, one of the side effects of
> >> this method (I have no idea why but I think that shouldn't matter) is
> >> that returned ids are prefixed with ":".
> > This does matter because I think this is the problem that needs to be
> > fixed.
> Yeah but since ids starting with ":" should mean the same thing as
> without it, that is to say namespace located beneath the root namespace
> (according to http://www.dokuwiki.org/namespaces ) I still think the two
> formats should be handled in the same manner and return the same result
> from auth_aclcheck.
The documentation there is the user documentation which format ids in
links can have. Internally in DokuWiki all ids are absolute as if they
were prefixed with ":" and they don't begin with ":" or ".".
[...]
> Another way would be to allow ids starting with ":" in the acl matching
> regexp, something like :
>
> $matches =
> preg_grep('/^:?'.preg_quote($id,'/').'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL);
>
> and
>
> $matches =
> preg_grep('/^:?'.preg_quote($path).'\s+('.$regexp.')\s+/'.$ci,$AUTH_ACL);
That only fixes the most obvious problem when ids aren't cleaned. I
don't like that because it could hide the problem when a developer tests
if everything works. There are many more ways how you can make the acl
system fail (e.g. just replace ":" by "::"). I think either we clean the
id or we don't.
Michael
--
DokuWiki mailing list - more info at
http://www.dokuwiki.org/mailinglist
Other related posts:
