Description
Any User can enter a URL of a non existing page. While doing the page head, moin will insert attachment rel links, even for a non existing page. That creates a directory inside data_dir/pages. With a simple script a evil user can create thousands of empty directories on the harddisc and slowing down or even crash the server, depending on the filesystem used.
Example
URL: x y z (look in the pages dir...)
Details
Affected Moin Versions: 1.2+, perhaps earlier versions
Discussion
A fix for this (based on moin--main--1.2, easy to integrate into 1.3): makedirbug.diff
Plan
- Priority: High
Assigned to: OliverGraf
- Will be fixed in release: fixed in arch moin--main--1.2