#pragma secure

Whenever a page which is tagged with '#pragma secure' is accessed it is checked if the protocol is https, if the protocol is http then moin yields an automatic redirect to the same page served by https.

Secure pages are NEVER transported over insecure links.

There might even be a client certificate validation and the page will only be served to registered clients (needs to be worked out) example: #pragma secure([SomeUser,SomeotherUser]). See also the patch on SF patch tracker.

-- cehteh 2004-04-05

Multiple AUTH_TYPEs

In request.py on line 123 (in the 1.2.1 distribution) it specifically checks for and AUTH_TYPE of Basic. Unfortunately, this turns out to be too limiting. mod_pubcookie, for example, allows setting arbitrary AUTH_TYPEs, yet still fakes Basic authentication. The question then becomes, should we merely check that AUTH_TYPE is set and not empty, or should we create e.g. config.auth_types = ['Basic',] and then use in to test for membership?

It turns out there is another complication here: user preferences with ACLs. It's currently impossible (AFAICT) to successfully use user preferences with auth_http_enabled and ACLs. Or at least it is in my environment. Because we're using Kerberos as the underlying authenticator for mod_pubcookie, we get userids that look like, e.g. geek@ANDREW.CMU.EDU. The use of ACLs enforces the WikiName format for userids. That said, creating ACL groups (and referencing them) seems to work just fine when they contain these long usernames.

ACLs for history

There should be a way to All: read but forbid history viewing. On private wiki's this would help alot, as if you posted something than removed it so nobody else can see what you've removed.

ACLs should be considered in the history

Only those revisions of a page should be visible in the history (or "diffable" in the page's own history), that the user has rights to.

If I privately edit a page, that is tagged "#acl All:", and later on publish the page by removing the #acl-line, then every user can also see those revisions, which were still tagged.

Executor Bit for Parsers

All these principles are doomed to fail in a wiki ... the correct way is to fix the parser of course. JohannesBerg put serious efforts into making the LaTeX plugins secure. Look at his homepage for further details.

SSL support for the standalone server

I've created a patch to add TLSLite support to the standalone server. This provides a totally portable (complete Python implementatoin) secure Wiki. It may be slow, but in many cases it's good enough. The patch is at: MoinMoinPatch/StandaloneServerTLSLiteSupport.

The patch adds two config variables that must be specified in moin.py. moin.py must have the server's private key and CA certificate. The private key cannot be password protected (limitation of TLSLite without additional support libraries). The server forces ssl connections (redirects to ssl), it will not run in mixed mode.

MoinMoin: SecurityProposals (last edited 2007-10-29 19:18:06 by localhost)