Versions Compared

Old Version 9

changes.mady.by.user Josh Thompson

Saved on

compared with

New Version 10

changes.mady.by.user Josh Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

The initial handling of form data within the code was quite insecure, and several areas of the site are still this way. After learning more about web security, I developed a security model based on "continuations". All of the pages have been converted to using continuations.

Wiki MarkupDeep linking into the site is only allowed for modes in the $actions\['entry'\] array in states.php. Anything else requires the submission of a continuation. For the most part, access to different parts of the site is controlled by what privileges you have in the Privileges section of the site. However, there are a few things controlled by a user's adminlevel field in the user table. The very earliest form of authorization was handled by the user's adminlevel field, and it has continued to be useful in a few situations.

All form data passed in to the site should be verified very strictly. Unfortunately, that is not currently the case. All of the main pages available to the average user should have been updated to have strict validation, though other parts of the site have not made it yet. Most sections of the site have a single function (or a very small number of similar functions) that handle the processing of form data. This will make it easier to add better checks throughout the site as the number of locations needing to be modified is fairly small.

...

First, modify states.php to add a new mode.

...

  1. create a new $actions\['mode'\] with the name of your mode set to the name of the function that should be calledunmigrated-wiki-markup
  2. create a new $actions\['pages'\] with the name of your mode set to the name of the section this mode belongs to. This is only an internal identifier used to associate modes together.

So, if your mode is named "examplemode", you could end up with these two lines being added:

Code Block
$actions['mode']['examplemode'] = "exampleFunc1";
$actions['pages']['examplemode'] = "exampleSection";

...

While   we're   editing   states.php,   lets   jump   to   the   top   and   add   our   new   mode   to   $actions\['entry'\]   so   that   it   can   be   called   directly   without   having   to   already   be   on   the   site.   Just   add   'examplemode'   as   a   new   item   at   the   end   of   the   array.
The next thing to do is to actually add the functions. Lets place them in a new file called 'examples.php' in the .ht-inc directory. Our first function can be really simple and just print out some text. So, create examples.php with this in it:
...