Differences

This shows you the differences between two versions of the page.

--- en:linux:dokuwiki:secu [2011/01/16 11:43]
matthieu
+++ en:linux:dokuwiki:secu [2011/10/04 22:16] (current)
matthieu ancienne révision restaurée
@@ Line 4: / Line 4: @@
 This page gives details how to secure the private sections of [[en:linux:Dokuwiki]].
-:!: Last update for version 2010-11-07.
+:!: Last update for version 2011-05-25a.
 ===== Create a private section =====
@@ Line 39: / Line 39: @@
 | en:*     | @ALL   | Read    |
-===== How to fully hide unauthorized pages  =====
+===== How to completely hide unauthorized pages  =====
-ACLs allow to limit the access to pages, but do not hide that they exist.\\
+ACLs allow to limit the access to pages, but do not hide them completely.\\
 This section discuss about security issues I found when using private areas, solutions are also provided.
+Issues are reported on the dokuwiki bug tracker here : http://bugs.dokuwiki.org/index.php?do=details&task_id=970
 ==== Demo ====
@@ Line 62: / Line 64: @@
 {{:linux:dokuwiki:doku_secu_1_4.png|}}
-The detail of each issue is described bellow.
+The detail of the issues :
+  * Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled.
+  * The breadcrumb store visited pages only if they exist.
+  * When a page has a link to other pages, they can indicate if the page exists.\\
+    Moreover, if useheasing is on, the title of the page is also displayed.
-==== Displaying the title of hidden pages ====
+:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\
-Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled.
+To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.
-Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu1.patch|}}
+Patch: {{:linux:dokuwiki:dokuwiki_2011-05-25_secu1.patch|}}
 <code>
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu1.patch
+:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki_2011-05-25_secu1.patch
-patching file parserutils.php
-:/opt/dokuwiki/inc#
-</code>
-==== The style used inside youarehere indicate if the page exists ====
-It is possible to identify if the page exist by looking at the style used inside "youarehere" (this text is used as the upper left title of my template).
-Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu2.patch|}}
-<code>
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu2.patch
-patching file template.php
-:/opt/dokuwiki/inc#
-</code>
-==== The breadcrumb indicate if the page exists ====
-The breadcrumb store visited pages only if they exist.
-Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu3.patch|}}
-<code>
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu3.patch
 patching file common.php
-:/opt/dokuwiki/inc#
-</code>
-==== The links inside the content show if the page exists and its title ====
-When a page has a link to other pages, they can indicate if the page exists.\\
-Moreover, if useheasing is on, the title of the page is also displayed.
-Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu4.patch|}}
-<code>
-:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu4.patch
 patching file parser/xhtml.php
 :/opt/dokuwiki/inc#
 </code>
-:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\
-To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.
 ==== Patched Demo ====
@@ Line 143: / Line 116: @@
 </code>
+=== 2010-11-07 ===
+Patches for version 2010-11-07.
+== Displaying the title of hidden pages ==
+Even if the content is bloqued, it is still possible to know his title if "use_heading" is enabled.
+Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu1.patch|}}
+<code>
+:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu1.patch
+patching file parserutils.php
+:/opt/dokuwiki/inc#
+</code>
+== The style used inside youarehere indicate if the page exists ==
+It is possible to identify if the page exist by looking at the style used inside "youarehere" (this text is used as the upper left title of my template).
+Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu2.patch|}}
+<code>
+:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu2.patch
+patching file template.php
+:/opt/dokuwiki/inc#
+</code>
+== The breadcrumb indicate if the page exists ==
+The breadcrumb store visited pages only if they exist.
+Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu3.patch|}}
+<code>
+:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu3.patch
+patching file common.php
+:/opt/dokuwiki/inc#
+</code>
+== The links inside the content show if the page exists and its title ==
+When a page has a link to other pages, they can indicate if the page exists.\\
+Moreover, if useheasing is on, the title of the page is also displayed.
+Patch : {{linux:dokuwiki:dokuwiki-2010-11-07_secu4.patch|}}
+<code>
+:/opt/dokuwiki/inc# patch -p 1 < /root/dokuwiki-2010-11-07_secu4.patch
+patching file parser/xhtml.php
+:/opt/dokuwiki/inc#
+</code>
+:!: Warning, the generated pages are cached, so a user can see the link as authorized if the cache content was generated for an authorized user.\\
+To avoid this case, don't use link to private parts in the public pages, or use NOCACHE directive.

en/linux/dokuwiki/secu.1295174636.txt.gz · Last modified: 2011/01/16 11:43 by matthieu

Show page Old revisions

Backlinks Back to top

Menu

Index

Differences