# HG changeset patch # User Thomas Waldmann # Date 1327421069 -3600 # Node ID 99e2309a7ec0ecbae5eaf4d7ea4a0620f0f6111d # Parent ff39884957af5fe465eea886124177c848af2b6d xslt/4suite insecurity hint, always keep allow_xslt = False diff -r ff39884957af -r 99e2309a7ec0 MoinMoin/config/multiconfig.py --- a/MoinMoin/config/multiconfig.py Thu Jan 19 16:21:14 2012 +0100 +++ b/MoinMoin/config/multiconfig.py Tue Jan 24 17:04:29 2012 +0100 @@ -787,7 +787,7 @@ "Exclude unwanted actions (list of strings)"), ('allow_xslt', False, - "if True, enables XSLT processing via 4Suite (note that this enables anyone with enough know-how to insert '''arbitrary HTML''' into your wiki, which is why it defaults to `False`)"), + "if True, enables XSLT processing via 4Suite (Note that this is DANGEROUS. It enables anyone who can edit the wiki to get '''read/write access to your filesystem as the moin process uid/gid''' and to insert '''arbitrary HTML''' into your wiki pages, which is why this setting defaults to `False` (XSLT disabled). Do not set it to other values, except if you know what you do and if you have very trusted editors only)."), ('password_checker', DefaultExpression('_default_password_checker'), 'checks whether a password is acceptable (default check is length >= 6, at least 4 different chars, no keyboard sequence, not username used somehow (you can switch this off by using `None`)'), diff -r ff39884957af -r 99e2309a7ec0 docs/CHANGES --- a/docs/CHANGES Thu Jan 19 16:21:14 2012 +0100 +++ b/docs/CHANGES Tue Jan 24 17:04:29 2012 +0100 @@ -18,6 +18,10 @@ Version 1.9.4: + SECURITY HINT: make sure you have allow_xslt = False (or just do not use + allow_xslt at all in your wiki configs, False is the internal default). + Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page. + HINT: Python >= 2.5 is maybe required! To use all the code that is bundled in the MoinMoin download release, you are required to have Python >= 2.5 now. This is primarily due to