You are here: Foswiki>Tasks Web>Item12875 (05 Mar 2016, GeorgeClark)Edit Attach

Item12875: Add controls on some debugging options

Priority: Security
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: Configure
Branches: trunk
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark

A few things probably ought to be restricted.

-- GeorgeClark - 29 Apr 2014

It's possible to bypass security enforcing plugins, like AntiwikiSpamPlugin, SafeWikiPlugin, etc. by using debugenabledplugins url param This should probably be disabled by default.

Since it could be sent in a url to an admin user, this should be disabled for all users, not just logged in users, or even the admin group.

# Enable this to allow use of the <tt>debugenabledplugins</tt> URL param.  
# This parameter could be used to disable security related extensions, and it not recommended to be enabled.
$Foswiki::cfg{AccessControl}{debugenabledplugins} = 0;

-- GeorgeClark - Apr 2014

My view is more radical; debugenableplugins should only be enabled when DEBUG is enabled. DONE in distro:da599d92f86b

-- CrawfordCurrie - 03 May 2014

Added LynnwoodBrown to waiting for .... he is looking into some template changes to hide history links which might be handy.

-- GeorgeClark - 05 Nov 2014

I don't think the example I was showing someone on irc (link to log) is too relevant here. As I understand the above discussion, the proposed feature would specifically disable certain security-related plugins. I was simply showing how to over-ride default template definitions. Turns out it was trickier than I first thought because the %REVISIONS% macro would not expand inside an IF macro. But that's another discussion...

-- LynnwoodBrown - 05 Nov 2014
Topic revision: r12 - 05 Mar 2016, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy