From 2d5a62dc16fd8401898c01860ae8bf481dafa283 Mon Sep 17 00:00:00 2001 From: "http://smcv.pseudorandom.co.uk/" Date: Mon, 3 Mar 2014 08:06:27 -0400 Subject: [PATCH 1/1] new bug report with patch --- ...t_comments_that_will_not_be_displayed.mdwn | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn diff --git a/doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn b/doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn new file mode 100644 index 000000000..488fa0066 --- /dev/null +++ b/doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn @@ -0,0 +1,32 @@ +[[!template id=gitbranch branch=smcv/ready/comments author="[[smcv]]" +browse="http://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/ready/comments"]] +[[!tag patch]] + +The ability to post comments depends on several factors: + +* `comments_pagespec` controls whether comments on a particular + page will be displayed +* `comments_closed_pagespec` controls whether comments on + a particular page are allowed +* the `check_canedit` call controls whether comments are allowed + for a particular combination of page and user + +If `check_canedit` says that a user can post a comment +(in particular, if [[plugins/opendiscussion]] is enabled or +[[plugins/lockedit]] is disabled or permissive), +and `comments_closed_pagespec` does not contradict it, +then users who construct a `do=comment` CGI URL manually +can post comments that will not be displayed. I don't think +this is a security flaw as such, which is why I'm not +reporting it privately, but it violates least-astonishment. + +My `ready/comments` branch fixes this, by changing the test +at submission time from (pseudocode) + + !comments_closed_pagespec && check_canedit + +to + + comments_pagespec && !comments_closed_pagespec && check_canedit + +--[[smcv]] -- 2.39.5