-
2011-08-25
trapman
The security check logic seems to be broken.
As inc/html.php lines 1429-1430 read:
<img src="data/security.png" alt="Your data directory seems to be protected properly."
onerror="this.parentNode.style.display=\'none\'" />
means that either one can access the image (thus, weak security), or entire administration page will be hidden (thus, extra strong security :)
Note that image itself reads "It seems your data directory is not properly secured", while its alt text says opposite.
-
2011-08-27
trapman
After further investigation I have found that the problem lies somwhere else. The problem is not in the <img> tag itself, but rather somewhere else, in something that strips <a> tag, surrounding the image away.
Because of that, "this.parentNode" refers not to <a> tag, as designed, but to <div class="page"> and entire page style set display:none.
As a temporary fix I suggest the following (redundand <div> inserted):
echo '<a style="border:none; float:right;"
href="http://www.dokuwiki.org/security#web_access_security"><div style="border:none; float:right">
<img src="data/security.png" alt="Your data directory seems to be protected not properly."
onerror="this.parentNode.style.display=\'none\'" /></div></a>';
Something still strips <a> tag, but <div> remains on place, so this.parentNode is fine now.
-
2011-08-28
trapman
After further investigation I have found that the problem lies somwhere else. The problem is not in the <img> tag itself, but rather somewhere else, in something that strips <a> tag, surrounding the image away.
Because of that, "this.parentNode" refers not to <a> tag, as designed, but to <div class="page"> and entire page style set display:none.
As a temporary fix I suggest the following (redundand <div> inserted):
echo '<a style="border:none; float:right;"
href="http://www.dokuwiki.org/security#web_access_security"><div style="border:none; float:right">
<img src="data/security.png" alt="Your data directory seems to be protected not properly."
onerror="this.parentNode.style.display=\'none\'" /></div></a>';
Something still strips <a> tag, but <div> remains on place, so this.parentNode is fine now.
-
2011-08-29
lupo49
Do you use a default DokuWiki-Installation? Or one, with several plugins and another template?
I tried to reproduce it with the current git-HEAD but it works as it should. The parent <a> became invisible and hence the image also.
-
2011-08-29
trapman
I tried more with fresh installation (I used updated installation when I got the bug), and yes, it was plugin bug - the most suspicious is fblogin, or its (fblogin) combination with something else. The bug disappears if fblogin is not installed.
Unfortunately, I have not enough knowledge in DokuWiki architecture to investigate deeper, and I will request closure of this bug.
Sorry for the false alarm.
-
2011-08-29
trapman
So, only a tiny bug with src="data/security.png" alt="Your data directory seems to be protected properly." remains - image text does not correspond to alt text.
-
2011-08-30
lupo49
Please inform the author of fblogin about this issue.